You are on page 1of 91

# # # # # # # # # # # # # # #

WELCOMETOSQUID2.6.STABLE18 ThisisthedefaultSquidconfigurationfile.Youmaywish tolookattheSquidhomepage(http://www.squidcache.org/) fortheFAQandotherdocumentation. ThedefaultSquidconfigfileshowswhatthedefaultsfor variousoptionshappentobe.Ifyoudon'tneedtochangethe default,youshouldn'tuncommenttheline.Doingsomaycause runtimeproblems.Insomecases"none"referstonodefault settingatall,whileinothercasesitreferstoavalid optionthecommentsforthatkeywordindicateifthisisthe case.

#OPTIONSFORAUTHENTICATION # #TAG:auth_param # Thisisusedtodefineparametersforthevariousauthentication # schemessupportedbySquid. # # format:auth_paramschemeparameter[setting] # # Theorderinwhichauthenticationschemesarepresentedtotheclientis # dependentontheordertheschemefirstappearsinconfigfile.IE # hasabug(it'snotRFC2617compliant)inthatitwillusethebasic # schemeifbasicisthefirstentrypresented,evenifmoresecure # schemesarepresented.Fornowusetheorderintherecommended # settingssectionbelow.Ifotherbrowsershavedifficulties(don't # recognizetheschemesofferedevenifyouareusingbasic)either # putbasicfirst,ordisabletheotherschemes(bycommentingouttheir # programentry). # # Onceanauthenticationschemeisfullyconfigured,itcanonlybe # shutdownbyshuttingsquiddownandrestarting.Changescanbemadeon # theflyandactivatedwithareconfigure.I.E.Youcanchangetoa # differenthelper,butnotunconfigurethehelpercompletely. # # PleasenotethatwhilethisdirectivedefineshowSquidprocesses # authenticationitdoesnotautomaticallyactivateauthentication. # TouseauthenticationyoumustinadditionmakeuseofACLsbased # onloginnameinhttp_access(proxy_auth,proxy_auth_regexor # externalwith%LOGINusedintheformattag).Thebrowserwillbe # challengedforauthenticationonthefirstsuchaclencountered # inhttp_accessprocessingandwillalsoberechallengedfornew # logincredentialsiftherequestisbeingdeniedbyaproxy_auth

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

typeacl. WARNING:authenticationcan'tbeusedinatransparentlyintercepting proxyastheclientthenthinksitistalkingtoanoriginserverand nottheproxy.ThisisalimitationofbendingtheTCP/IPprotocolto transparentlyinterceptingport80,notalimitationinSquid. ===Parametersforthebasicschemefollow.=== "program"cmdline Specifythecommandfortheexternalauthenticator.Suchaprogram readsalinecontaining"usernamepassword"andreplies"OK"or "ERR"inanendlessloop."ERR"responsesmayoptionallybefollowed byaerrordescriptionavailableas%minthereturnederrorpage. Bydefault,thebasicauthenticationschemeisnotusedunlessa programisspecified. Ifyouwanttousethetraditionalproxyauthentication,jumpoverto thehelpers/basic_auth/NCSAdirectoryandtype: %make %makeinstall Then,setthislinetosomethinglike auth_parambasicprogram/usr/lib/squid/ncsa_auth/usr/etc/passwd "children"numberofchildren Thenumberofauthenticatorprocessestospawn.Ifyoustarttoofew squidwillhavetowaitforthemtoprocessabacklogofcredential verifications,slowingitdown.Whencredentialverificationsare doneviaa(slow)networkyouarelikelytoneedlotsof authenticatorprocesses. auth_parambasicchildren5 "concurrency"numberofconcurrentrequests Thenumberofconcurrentrequests/channelsthehelpersupports. Changestheprotocolusedtoincludeachannelnumberfirston therequest/responseline,allowingmultiplerequeststobesent tothesamehelperinparallellwithoutwatingfortheresponse. Mustnotbesetunlessit'sknownthehelpersupportsthis. "realm"realmstring Specifiestherealmnamewhichistobereportedtotheclientfor thebasicproxyauthenticationscheme(partofthetexttheuser willseewhenpromptedtheirusernameandpassword). auth_parambasicrealmSquidproxycachingwebserver "credentialsttl"timetolive Specifieshowlongsquidassumesanexternallyvalidated

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

username:passwordpairisvalidforinotherwordshowoftenthe helperprogramiscalledforthatuser.Setthislowtoforce revalidationwithshortlivedpasswords.Notethatsettingthishigh doesnotimpactyoursusceptibilitytoreplayattacksunlessyouare usinganonetimepasswordsystem(suchasSecureID).Ifyouareusing suchasystem,youwillbevulnerabletoreplayattacksunlessyou alsousethemax_user_ipACLinanhttp_accessrule. auth_parambasiccredentialsttl2hours "casesensitive"on|off Specifiesifusernamesarecasesensitive.Mostuserdatabasesare caseinsensitiveallowingthesameusernametobespelledusingboth loweranduppercaseletters,butsomearecasesensitive.This makesabigdifferenceforuser_max_ipACLprocessingandsimilar. auth_parambasiccasesensitiveoff "blankpassword"on|off Specifiesifblankpasswordsshouldbesupported.Defaultstooff asthereismultipleauthenticationbackendswhichhandlesblank passwordsas"guest"access. ===Parametersforthedigestschemefollow=== "program"cmdline Specifythecommandfortheexternalauthenticator.Suchaprogram readsalinecontaining"username":"realm"andreplieswiththe appropriateH(A1)valuehexencodedorERRiftheuser(orhisH(A1) hash)doesnotexists.SeeRFC2616forthedefinitionofH(A1). "ERR"responsesmayoptionallybefollowedbyaerrordescription availableas%minthereturnederrorpage. Bydefault,thedigestauthenticationschemeisnotusedunlessa programisspecified. Ifyouwanttouseadigestauthenticator,jumpovertothe helpers/digest_auth/directoryandchoosetheauthenticatortouse. Itit'sdirectorytype %make %makeinstall Then,setthislinetosomethinglike auth_paramdigestprogram/usr/lib/squid/digest_auth_pw/usr/etc/digpass "children"numberofchildren Thenumberofauthenticatorprocessestospawn.Ifyoustarttoofew squidwillhavetowaitforthemtoprocessabacklogofcredential verifications,slowingitdown.Whencredentialverificationsare doneviaa(slow)networkyouarelikelytoneedlotsof authenticatorprocesses.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

auth_paramdigestchildren5 "concurrency"numberofconcurrentrequests Thenumberofconcurrentrequests/channelsthehelpersupports. Changestheprotocolusedtoincludeachannelnumberfirston therequest/responseline,allowingmultiplerequeststobesent tothesamehelperinparallellwithoutwatingfortheresponse. Mustnotbesetunlessit'sknownthehelpersupportsthis. "realm"realmstring Specifiestherealmnamewhichistobereportedtotheclientforthe digestproxyauthenticationscheme(partofthetexttheuserwillsee whenpromptedtheirusernameandpassword). auth_paramdigestrealmSquidproxycachingwebserver "nonce_garbage_interval"timeinterval Specifiestheintervalthatnoncesthathavebeenissuedtoclientsare checkedforvalidity. auth_paramdigestnonce_garbage_interval5minutes "nonce_max_duration"timeinterval Specifiesthemaximumlengthoftimeagivennoncewillbevalidfor. auth_paramdigestnonce_max_duration30minutes "nonce_max_count"number Specifiesthemaximumnumberoftimesagivennoncecanbeused. auth_paramdigestnonce_max_count50 "nonce_strictness"on|off Determinesifsquidrequiresstrictincrementby1behaviorfornonce counts,orjustincrementing(offforusewhenuseragentsgenerate noncecountsthatoccasionallymiss1(ie,1,2,4,6)). auth_paramdigestnonce_strictnessoff "check_nonce_count"on|off Thisdirectiveifsettooffcandisablethenoncecountcheck completelytoworkaroundbuggydigestqopimplementationsincertain mainstreambrowserversions.Defaultontocheckthenoncecountto protectfromauthenticationreplayattacks. auth_paramdigestcheck_nonce_counton "post_workaround"on|off Thisisaworkaroundtocertainbuggybrowserswhosendsanincorrect requestdigestinPOSTrequestswhenreusingthesamenonceasacquired earlierinresponsetoaGETrequest. auth_paramdigestpost_workaroundoff ===NTLMschemeoptionsfollow=== "program"cmdline

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

SpecifythecommandfortheexternalNTLMauthenticator.Sucha programparticipatesintheNTLMSSPexchangesbetweenSquidandthe clientandreadscommandsaccordingtotheSquidNTLMSSPhelper protocol.Seehelpers/ntlm_auth/fordetails.Recommendedntlm authenticatorisntlm_authfromSamba3.X,butanumberofother ntlmauthenticatorsisavailable. Bydefault,thentlmauthenticationschemeisnotusedunlessa programisspecified. auth_paramntlmprogram/usr/bin/ntlm_authhelperprotocol=squid2.5ntlmssp "children"numberofchildren Thenumberofauthenticatorprocessestospawn.Ifyoustarttoofew squidwillhavetowaitforthemtoprocessabacklogofcredential verifications,slowingitdown.Whencredentialverificationsare doneviaa(slow)networkyouarelikelytoneedlotsof authenticatorprocesses. auth_paramntlmchildren5 "keep_alive"on|off Thisoptionenablestheuseofkeepaliveontheinitial authenticationrequest.IthasbeenreportedsomeversionsofMSIE haveproblemsifthisisenabled,butperformancewillbeincreased ifenabled. auth_paramntlmkeep_aliveon ===Negotiateschemeoptionsfollow=== "program"cmdline SpecifythecommandfortheexternalNegotiateauthenticator.Sucha programparticipatesintheSPNEGOexchangesbetweenSquidandthe clientandreadscommandsaccordingtotheSquidntlmssphelper protocol.Seehelpers/ntlm_auth/fordetails.RecommendedSPNEGO authenticatorisntlm_authfromSamba4.X. Bydefault,theNegotiateauthenticationschemeisnotusedunlessa programisspecified. auth_paramnegotiateprogram/path/to/samba/bin/ntlm_authhelperprotocol=gssspnego "children"numberofchildren Thenumberofauthenticatorprocessestospawn.Ifyoustarttoofew squidwillhavetowaitforthemtoprocessabacklogofcredential verifications,slowingitdown.Whencredentialverificationsare doneviaa(slow)networkyouarelikelytoneedlotsof authenticatorprocesses. auth_paramnegotiatechildren5

# "keep_alive"on|off # IfyouexperienceproblemswithPUT/POSTrequestswhenusingthe # Negotiateauthenticationschemethenyoucantrysettingthisto # off.ThiswillcauseSquidtoforciblyclosetheconnectionon # theinitialrequestswherethebrowseraskswhichschemesare # supportedbytheproxy. # # auth_paramnegotiatekeep_aliveon # #Recommendedminimumconfigurationperscheme: #auth_paramnegotiateprogram<uncommentandcompletethislinetoactivate> #auth_paramnegotiatechildren5 #auth_paramnegotiatekeep_aliveon #auth_paramntlmprogram<uncommentandcompletethislinetoactivate> #auth_paramntlmchildren5 #auth_paramntlmkeep_aliveon #auth_paramdigestprogram<uncommentandcompletethisline> #auth_paramdigestchildren5 #auth_paramdigestrealmSquidproxycachingwebserver #auth_paramdigestnonce_garbage_interval5minutes #auth_paramdigestnonce_max_duration30minutes #auth_paramdigestnonce_max_count50 #auth_parambasicprogram<uncommentandcompletethisline> #auth_parambasicchildren5 #auth_parambasicrealmSquidproxycachingwebserver #auth_parambasiccredentialsttl2hours #auth_parambasiccasesensitiveoff #TAG:authenticate_cache_garbage_interval # Thetimeperiodbetweengarbagecollectionacrosstheusernamecache. # Thisisatradeoffbetweenmemoryutilization(longintervalssay # 2days)andCPU(shortintervalssay1minute).Onlychangeifyou # havegoodreasonto. # #Default: #authenticate_cache_garbage_interval1hour #TAG:authenticate_ttl # Thetimeauser&theircredentialsstayintheloggedinusercache # sincetheirlastrequest.Whenthegarbageintervalpasses,alluser # credentialsthathavepassedtheirTTLareremovedfrommemory. # #Default: #authenticate_ttl1hour #TAG:authenticate_ip_ttl # Ifyouuseproxyauthenticationandthe'max_user_ip'ACL,this # directivecontrolshowlongSquidrememberstheIPaddresses # associatedwitheachuser.Useasmallvalue(e.g.,60seconds)if # yourusersmightchangeaddressesquickly,asisthecasewith

# dialups.Youmightbesafeusingalargervalue(e.g.,2hours)ina # corporateLANenvironmentwithrelativelystaticaddressassignments. # #Default: #authenticate_ip_ttl0seconds #ACCESSCONTROLS # #TAG:external_acl_type # Thisoptiondefinesexternalaclclassesusingahelperprogramto # lookupthestatus # # external_acl_typename[options]FORMAT../path/to/helper[helperarguments..] # # Options: # # ttl=n TTLinsecondsforcachedresults(defaultsto3600 # for1hour) # negative_ttl=n # TTLforcachednegativelookups(defaultsame # asttl) # children=n numberofprocessesspawntoserviceexternalacl # lookupsofthistype.(default5). # concurrency=n concurrencylevelperprocess.Onlyusedwithhelpers # capableofprocessingmorethanonequeryatatime. # Note:seecompatibilitynotebelow # cache=n resultcachesize,0isunbounded(default) # grace= PercentageremainingofTTLwherearefreshofa # cachedentryshouldbeinitiatedwithoutneedingto # waitforanewreply.(default0fornograceperiod) # protocol=2.5CompatibilitymodeforSquid2.5externalaclhelpers # # FORMATspecifications # # %LOGIN Authenticateduserloginname # %EXT_USER Usernamefromexternalacl # %IDENT Identusername # %SRC ClientIP # %SRCPORT Clientsourceport # %DST Requestedhost # %PROTO Requestedprotocol # %PORT Requestedport # %METHOD Requestmethod # %MYADDR Squidinterfaceaddress # %MYPORT Squidhttp_portnumber # %PATH RequestedURLpath(includingquerystringifany) # %USER_CERT SSLUsercertificateinPEMformat # %USER_CERTCHAINSSLUsercertificatechaininPEMformat

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%USER_CERT_xx SSLUsercertificatesubjectattributexx %USER_CA_xx SSLUsercertificateissuerattributexx %{Header} HTTPrequestheader %{Hdr:member} HTTPrequestheaderlistmember %{Hdr:;member} HTTPrequestheaderlistmemberusing;as listseparator.;canbeanynonalphanumeric character. %ACL TheACLname %DATA TheACLarguments.Ifnotusedthenanyarguments isautomaticallyaddedattheend Inadditiontotheabove,anystringspecifiedinthereferencing aclwillalsobeincludedinthehelperrequestline,afterthe specifiedformats(seethe"aclexternal"directive) Thehelperreceiveslinespertheaboveformatspecification, andreturnslinesstartingwithOKorERRindicatingthevalidity oftherequestandoptionallyfollowedbyadditionalkeywordswith moredetails. Generalresultsyntax: OK/ERRkeyword=value... Definedkeywords: user= password= message= log= Theusersname(loginalsounderstood) Theuserspassword(forPROXYPASSlogin=cache_peer) Errormessageorsimilarusedas%oinerrormessages (erroralsounderstood) Stringtobeloggedinaccess.log.Availableas %eainlogformatspecifications

Ifprotocol=3.0(thedefault)thenURLescapingisusedtoprotect eachvalueinbothrequestsandresponses. Ifusingprotocol=2.5thenallvaluesneedtobeenclosedinquotes iftheymaycontainwhitespace,orthewhitespaceescapedusing\. Andquotesor\characterswithinthekeywordvaluemustbe\escaped. Whenusingtheconcurrency=optiontheprotocolischangedby introducingaquerychanneltaginfrontoftherequest/response. Thequerychanneltagisanumberbetween0andconcurrency1. CompatibilityNote:Thechildren=optionwasnamedconcurrency=in Squid2.5.STABLE3andearlier,andwasacceptedasanaliasforthe durationoftheSquid2.5releasestokeepcompatibility.However, themeaningofconcurrency=optionhaschangedinSquid2.6tomatch thatofSquid3andtheoldsyntaxnolongerworks.

# #Default: #none #TAG:acl # DefininganAccessList # # aclaclnameacltypestring1... # aclaclnameacltype"file"... # # whenusing"file",thefileshouldcontainoneitemperline # # acltypeisoneofthetypesdescribedbelow # # Bydefault,regularexpressionsareCASESENSITIVE.Tomake # themcaseinsensitive,usetheioption. # # aclaclnamesrcipaddress/netmask...(clientsIPaddress) # aclaclnamesrcaddr1addr2/netmask...(rangeofaddresses) # aclaclnamedstipaddress/netmask...(URLhost'sIPaddress) # aclaclnamemyipipaddress/netmask...(localsocketIPaddress) # # aclaclnamearpmacaddress...(xx:xx:xx:xx:xx:xxnotation) # #ThearpACLrequiresthespecialconfigureoptionenablearpacl. # #Furthermore,thearpACLcodeisnotportabletoalloperatingsystems. # #ItworksonLinux,Solaris,FreeBSDandsomeother*BSDvariants. # # # #NOTE:SquidcanonlydeterminetheMACaddressforclientsthatareon # #thesamesubnet.Iftheclientisonadifferentsubnet,thenSquidcannot # #findoutitsMACaddress. # # aclaclnamesrcdomain.foo.com...#reverselookup,clientIP # aclaclnamedstdomain.foo.com...#DestinationserverfromURL # aclaclnamesrcdom_regex[i]xxx...#regexmatchingclientname # aclaclnamedstdom_regex[i]xxx...#regexmatchingserver # #Fordstdomainanddstdom_regexareverselookupistriedifaIP # #basedURLisusedandnomatchisfound.Thename"none"isused # #ifthereverselookupfails. # # aclaclnametime[dayabbrevs][h1:m1h2:m2] # dayabbrevs: # SSunday # MMonday # TTuesday # WWednesday # HThursday # FFriday # ASaturday # h1:m1mustbelessthanh2:m2 # aclaclnameurl_regex[i]^http://... #regexmatchingonwholeURL

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

aclaclnameurlpath_regex[i]\.gif$... #regexmatchingonURLpath aclaclnameurllogin[i][^azAZ09]... #regexmatchingonURLloginfield aclaclnameport807021... aclaclnameport01024... #rangesallowed aclaclnamemyport3128... #(localsocketTCPport) aclaclnameprotoHTTPFTP... aclaclnamemethodGETPOST... aclaclnamebrowser[i]regexp... #patternmatchonUserAgentheader(seealsoreq_headerbelow) aclaclnamereferer_regex[i]regexp... #patternmatchonRefererheader #Refererishighlyunreliable,sousewithcare aclaclnameidentusername... aclaclnameident_regex[i]pattern... #stringmatchonidentoutput. #useREQUIREDtoacceptanynonnullident. aclaclnamesrc_asnumber... aclaclnamedst_asnumber... #Exceptforaccesscontrol,ASnumberscanbeusedfor #routingofrequeststospecificcaches.Here'san #exampleforroutingallrequestsforAS#1241andonly #thosetomycache.mydomain.net: #aclasexampledst_as1241 #cache_peer_accessmycache.mydomain.netallowasexample #cache_peer_accessmycache_mydomain.netdenyall aclaclnameproxy_auth[i]username... aclaclnameproxy_auth_regex[i]pattern... #listofvalidusernames #useREQUIREDtoacceptanyvalidusername. # #NOTE:whenaProxyAuthenticationheaderissentbutitisnot #neededduringACLcheckingtheusernameisNOTlogged #inaccess.log. # #NOTE:proxy_authrequiresaEXTERNALauthenticationprogram #tocheckusername/passwordcombinations(see #auth_paramdirective). # #NOTE:proxy_authcan'tbeusedinatransparentproxyas #thebrowserneedstobeconfiguredforusingaproxyinorder #torespondtoproxyauthentication. aclaclnamesnmp_communitystring... #AcommunitystringtolimitaccesstoyourSNMPAgent #Example: # # aclsnmppublicsnmp_communitypublic aclaclnamemaxconnnumber

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

#Thiswillbematchedwhentheclient'sIPaddresshas #morethan<number>HTTPconnectionsestablished. aclaclnamemax_user_ip[s]number #Thiswillbematchedwhentheuserattemptstologinfrommore #than<number>differentipaddresses.Theauthenticate_ip_ttl #parametercontrolsthetimeoutontheipentries. #Ifsisspecifiedthelimitisstrict,denyingbrowsing #fromanyfurtherIPaddressesuntilthettlhasexpired.Without #sSquidwilljustannoytheuserby"randomly"denyingrequests. #(thecounterisreseteachtimethelimitisreachedanda #requestisdenied) #NOTE:inaccelerationmodeorwherethereismeshofchildproxies, #clientsmayappeartocomefrommultipleaddressesiftheyare #goingthroughproxyfarms,soalimitof1maycauseuserproblems. aclaclnamereq_mime_typemimetype1... #regexmatchagainstthemimetypeoftherequestgenerated #bytheclient.Canbeusedtodetectfileuploadorsome #typesHTTPtunnelingrequests. #NOTE:ThisdoesNOTmatchthereply.Youcannotusethis #tomatchthereturnedfiletype. aclaclnamereq_headerheadername[i]any\.regex\.here #regexmatchagainstanyoftheknownrequestheaders.Maybe #thoughtofasasupersetof"browser","referer"and"mimetype" #ACLs. aclaclnamerep_mime_typemimetype1... #regexmatchagainstthemimetypeofthereplyreceivedby #squid.Canbeusedtodetectfiledownloadorsome #typesHTTPtunnelingrequests. #NOTE:Thishasnoeffectinhttp_accessrules.Itonlyhas #effectinrulesthataffectthereplydatastreamsuchas #http_reply_access. aclaclnamerep_headerheadername[i]any\.regex\.here #regexmatchagainstanyoftheknownreplyheaders.Maybe #thoughtofasasupersetof"browser","referer"and"mimetype" #ACLs. # #Example: # #aclmany_spacesrep_headerContentDispositioni[[:space:]]{3,} aclacl_nameexternalclass_name[arguments...] #externalACLlookupviaahelperclassdefinedbythe #external_acl_typedirective. aclurlgroupgroup1...

# #matchagainsttheurlgroupasindicatedbyredirectors # # aclaclnameuser_certattributevalues... # #matchagainstattributesinauserSSLcertificate # #attributeisoneofDN/C/O/CN/L/ST # # aclaclnameca_certattributevalues... # #matchagainstattributesausersissuingCASSLcertificate # #attributeisoneofDN/C/O/CN/L/ST # # aclaclnameext_userusername... # aclaclnameext_user_regex[i]pattern... # #stringmatchonusernamereturnedbyexternalaclhelper # #useREQUIREDtoacceptanynonnullusername. # #Examples: #aclmacaddressarp09:00:2b:23:45:67 #aclmyexampledst_as1241 #aclpasswordproxy_authREQUIRED #aclfileuploadreq_mime_typei^multipart/formdata$ #acljavascriptrep_mime_typei^application/xjavascript$ # #Recommendedminimumconfiguration: aclallsrc0.0.0.0/0.0.0.0 aclmanagerprotocache_object acllocalhostsrc127.0.0.1/255.255.255.255 aclto_localhostdst127.0.0.0/8 aclSSL_portsport443 #https aclSSL_portsport563 #snews aclSSL_portsport873 #rsync aclSafe_portsport80 #http aclSafe_portsport21 #ftp aclSafe_portsport443 #https aclSafe_portsport70 #gopher aclSafe_portsport210 #wais aclSafe_portsport102565535 #unregisteredports aclSafe_portsport280 #httpmgmt aclSafe_portsport488 #gsshttp aclSafe_portsport591 #filemaker aclSafe_portsport777 #multilinghttp aclSafe_portsport631 #cups aclSafe_portsport873 #rsync aclSafe_portsport901 #SWAT aclpurgemethodPURGE aclCONNECTmethodCONNECT #TAG:http_access # AllowingorDenyingaccessbasedondefinedaccesslists # # AccesstotheHTTPport:

# http_accessallow|deny[!]aclname... # # NOTEondefaultvalues: # # Ifthereareno"access"linespresent,thedefaultistodeny # therequest. # # Ifnoneofthe"access"linescauseamatch,thedefaultisthe # oppositeofthelastlineinthelist.Ifthelastlinewas # deny,thedefaultisallow.Conversely,ifthelastline # isallow,thedefaultwillbedeny.Forthesereasons,itisa # goodideatohavean"denyall"or"allowall"entryattheend # ofyouraccessliststoavoidpotentialconfusion. # #Default: #http_accessdenyall # #Recommendedminimumconfiguration: # #Onlyallowcachemgraccessfromlocalhost http_accessallowmanagerlocalhost http_accessdenymanager #Onlyallowpurgerequestsfromlocalhost http_accessallowpurgelocalhost http_accessdenypurge #Denyrequeststounknownports http_accessdeny!Safe_ports #DenyCONNECTtootherthanSSLports http_accessdenyCONNECT!SSL_ports # #Westronglyrecommendthefollowingbeuncommentedtoprotectinnocent #webapplicationsrunningontheproxyserverwhothinktheonly #onewhocanaccessserviceson"localhost"isalocaluser #http_accessdenyto_localhost # #INSERTYOUROWNRULE(S)HERETOALLOWACCESSFROMYOURCLIENTS #Exampleruleallowingaccessfromyourlocalnetworks.Adapt #tolistyour(internal)IPnetworksfromwherebrowsingshould #beallowed #aclour_networkssrc192.168.1.0/24192.168.2.0/24 #http_accessallowour_networks http_accessallowlocalhost #Andfinallydenyallotheraccesstothisproxy http_accessdenyall #TAG:http_access2 # AllowingorDenyingaccessbasedondefinedaccesslists #

# Identicaltohttp_access,butrunsafterredirectors.Ifnotset # thenonlyhttp_accessisused. # #Default: #none #TAG:http_reply_access # Allowrepliestoclientrequests.Thisiscomplementarytohttp_access. # # http_reply_accessallow|deny[!]aclname... # # NOTE:iftherearenoaccesslinespresent,thedefaultistoallow # allreplies # # Ifnoneoftheaccesslinescauseamatchtheoppositeofthe # lastlinewillapply.Thusitisgoodpracticetoendtherules # withan"allowall"or"denyall"entry. # #Default: #http_reply_accessallowall #TAG:icp_access # AllowingorDenyingaccesstotheICPportbasedondefined # accesslists # # icp_accessallow|deny[!]aclname... # # Seehttp_accessfordetails # #Default: #icp_accessdenyall # #AllowICPqueriesfromeveryone icp_accessallowall #TAG:htcp_access # AllowingorDenyingaccesstotheHTCPportbasedondefined # accesslists # # htcp_accessallow|deny[!]aclname... # # Seehttp_accessfordetails # # NOTE:Thedefaultifnohtcp_accesslinesarepresentisto # denyalltraffic.Thisdefaultmaycauseproblemswithpeers # usingthehtcporhtcpoldsquidoptions. # ##AllowHTCPqueriesfromeveryone #htcp_accessallowall #

#Default: #htcp_accessdenyall #TAG:htcp_clr_access # AllowingorDenyingaccesstopurgecontentusingHTCPbased # ondefinedaccesslists # # htcp_clr_accessallow|deny[!]aclname... # # Seehttp_accessfordetails # ##AllowHTCPCLRrequestsfromtrustedpeers #aclhtcp_clr_peersrc172.16.1.2 #htcp_clr_accessallowhtcp_clr_peer # #Default: #htcp_clr_accessdenyall #TAG:miss_access # Usetoforceyourneighborstouseyouasasiblinginsteadof # aparent.Forexample: # # acllocalclientssrc172.16.0.0/16 # miss_accessallowlocalclients # miss_accessdeny!localclients # # Thismeansonlyyourlocalclientsareallowedtofetch # MISSESandallotherclientscanonlyfetchHITS. # # Bydefault,allowallclientswhopassedthehttp_accessrules # tofetchMISSESfromus. # #Defaultsetting: #miss_accessallowall #TAG:ident_lookup_access # AlistofACLelementswhich,ifmatched,causeanident # (RFC931)lookuptobeperformedforthisrequest.For # example,youmightchoosetoalwaysperformidentlookups # foryourmainmultiuserUnixboxes,butnotforyourMacs # andPCs.Bydefault,identlookupsarenotperformedfor # anyrequests. # # Toenableidentlookupsforspecificclientaddresses,you # canfollowthisexample: # # aclident_aware_hostssrc198.168.1.0/255.255.255.0 # ident_lookup_accessallowident_aware_hosts # ident_lookup_accessdenyall #

# OnlysrctypeACLchecksarefullysupported.Asrc_domain # ACLmightworkattimes,butitwillnotalwaysprovide # thecorrectresult. # #Default: #ident_lookup_accessdenyall #TAG:reply_body_max_size bytesallow|denyaclacl... # Thisoptionspecifiesthemaximumsizeofareplybodyinbytes. # Itcanbeusedtopreventusersfromdownloadingverylargefiles, # suchasMP3'sandmovies.Whenthereplyheadersarereceived, # thereply_body_max_sizelinesareprocessed,andthefirstlinewith # aresultof"allow"isusedasthemaximumbodysizeforthisreply. # Thissizeischeckedtwice.Firstwhenwegetthereplyheaders, # wecheckthecontentlengthvalue.Ifthecontentlengthvalueexists # andislargerthantheallowedsize,therequestisdeniedandthe # userreceivesanerrormessagethatsays"therequestorreply # istoolarge."Ifthereisnocontentlength,andthereply # sizeexceedsthislimit,theclient'sconnectionisjustclosed # andtheywillreceiveapartialreply. # # WARNING:downstreamcachesprobablycannotdetectapartialreply # ifthereisnocontentlengthheader,sotheywillcache # partialresponsesandgivethemoutashits.YoushouldNOT # usethisoptionifyouhavedownstreamcaches. # # Ifyousetthisparametertozero(thedefault),therewillbe # nolimitimposed. # #Default: #reply_body_max_size0allowall #OPTIONSFORXForwardedFor # #TAG:follow_x_forwarded_for # AllowingorDenyingtheXForwardedForheadertobefollowedto # findtheoriginalsourceofarequest. # # Requestsmaypassthroughachainofseveralotherproxies # beforereachingus.TheXForwardedForheaderwillcontaina # commaseparatedlistoftheIPaddressesinthechain,withthe # rightmostaddressbeingthemostrecent. # # Ifarequestreachesusfromasourcethatisallowedbythis # configurationitem,thenweconsulttheXForwardedForheader # toseewherethathostreceivedtherequestfrom.Ifthe # XForwardedForheadercontainsmultipleaddresses,andif # acl_uses_indirect_clientison,thenwecontinuebacktracking

# untilwereachanaddressforwhichwearenotallowedto # followtheXForwardedForheader,oruntilwereachthefirst # addressinthelist.(Ifacl_uses_indirect_clientisoff,then # it'simpossibletobacktrackthroughmorethanonelevelof # XForwardedForaddresses.) # # TheendresultofthisprocessisanIPaddressthatwewill # refertoastheindirectclientaddress.Thisaddressmay # betreatedastheclientaddressforaccesscontrol,delay # poolsandlogging,dependingontheacl_uses_indirect_client, # delay_pool_uses_indirect_clientandlog_uses_indirect_client # options. # # SECURITYCONSIDERATIONS: # # AnyhostforwhichwefollowtheXForwardedForheader # canplaceincorrectinformationintheheader,andSquid # willusetheincorrectinformationasifitwerethe # sourceaddressoftherequest.Thismayenableremote # hoststobypassanyaccesscontrolrestrictionsthatare # basedontheclient'ssourceaddresses. # # Forexample: # # acllocalhostsrc127.0.0.1 # aclmy_other_proxysrcdomain.proxy.example.com # follow_x_forwarded_forallowlocalhost # follow_x_forwarded_forallowmy_other_proxy # #Default: #follow_x_forwarded_fordenyall #TAG:acl_uses_indirect_client on|off # Controlswhethertheindirectclientaddress # (seefollow_x_forwarded_for)isusedinsteadofthe # directclientaddressinaclmatching. # #Default: #acl_uses_indirect_clienton #TAG:delay_pool_uses_indirect_client on|off # Controlswhethertheindirectclientaddress # (seefollow_x_forwarded_for)isusedinsteadofthe # directclientaddressindelaypools. # #Default: #delay_pool_uses_indirect_clienton #TAG:log_uses_indirect_client on|off # Controlswhethertheindirectclientaddress

# (seefollow_x_forwarded_for)isusedinsteadofthe # directclientaddressintheaccesslog. # #Default: #log_uses_indirect_clienton #NETWORKOPTIONS # #TAG:http_port # Usage: port[options] # hostname:port[options] # 1.2.3.4:port[options] # # ThesocketaddresseswhereSquidwilllistenforHTTPclient # requests.Youmayspecifymultiplesocketaddresses. # Therearethreeforms:portalone,hostnamewithport,and # IPaddresswithport.IfyouspecifyahostnameorIP # address,Squidbindsthesockettothatspecific # address.Thisreplacestheold'tcp_incoming_address' # option.Mostlikely,youdonotneedtobindtoaspecific # address,soyoucanusetheportnumberalone. # # IfyouarerunningSquidinacceleratormode,you # probablywanttolistenonport80also,orinstead. # # Youmayspecifymultiplesocketaddressesonmultiplelines. # # Options: # # transparent Supportfortransparentinterceptionof # outgoingrequestswithoutbrowsersettings. # # tproxy SupportLinuxTPROXYforspoofingoutgoing # connectionsusingtheclientIPaddress. # # accel Acceleratormode.Alsoneedsatleastone # ofvhost/vport/defaultsite. # # defaultsite=domainname # WhattousefortheHost:headerifitisnotpresent # inarequest.Determineswhatsite(notoriginserver) # acceleratorsshouldconsiderthedefault. # Impliesaccel. # # vhostAcceleratormodeusingHostheaderforvirtual # domainsupport.Impliesaccel. # # vportAcceleratorwithIPbasedvirtualhostsupport.

# Impliesaccel. # # vport=NN Asabove,butusesspecifiedportnumberrather # thanthehttp_portnumber.Impliesaccel. # # urlgroup= Defaulturlgrouptomarkrequestswith(see # alsoaclurlgroupandurl_rewrite_program) # # protocol= Protocoltoreconstructacceleratedrequestswith. # Defaultstohttp. # # noconnectionauth # PreventforwardingofMicrosoftconnectionoriented # authentication(NTLM,NegotiateandKerberos) # # IfyourunSquidonadualhomedmachinewithaninternal # andanexternalinterfacewerecommendyoutospecifythe # internaladdress:portinhttp_port.ThiswaySquidwillonlybe # visibleontheinternaladdress. # #Squidnormallylistenstoport3128 http_port3128 #TAG:https_port #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # Usage:[ip:]portcert=certificate.pem[key=key.pem][options...] # # ThesocketaddresswhereSquidwilllistenforHTTPSclient # requests. # # Thisisreallyonlyusefulforsituationswhereyouarerunning # squidinacceleratormodeandyouwanttodotheSSLworkatthe # acceleratorlevel. # # Youmayspecifymultiplesocketaddressesonmultiplelines, # eachwiththeirownSSLcertificateand/oroptions. # # Options: # # accel Acceleratormode.Alsoneedsatleastoneof # defaultsiteorvhost. # # defaultsite= Thenameofthehttpssitepresentedon # thisport.Impliesaccel. # # vhostAcceleratormodeusingHostheaderforvirtual # domainsupport.Requiresawildcardcertificate # orothercertificatevalidformorethanonedomain.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Impliesaccel. urlgroup= protocol= Defaulturlgrouptomarkrequestswith(see alsoaclurlgroupandurl_rewrite_program). Protocoltoreconstructacceleratedrequestswith. Defaultstohttps.

cert= PathtoSSLcertificate(PEMformat). key= PathtoSSLprivatekeyfile(PEMformat) ifnotspecified,thecertificatefileis assumedtobeacombinedcertificateand keyfile. TheversionofSSL/TLSsupported 1 automatic(default) 2 SSLv2only 3 SSLv3only 4 TLSv1only Colonseparatedlistofsupportedciphers. VariousSSLengineoptions.Themostimportant being: NO_SSLv2DisallowtheuseofSSLv2 NO_SSLv3DisallowtheuseofSSLv3 NO_TLSv1DisallowtheuseofTLSv1 SINGLE_DH_USEAlwayscreateanewkeywhenusing temporary/ephemeralDHkeyexchanges Seesrc/ssl_support.corOpenSSLSSL_CTX_set_options documentationforacompletelistofoptions. FilecontainingthelistofCAstousewhen requestingaclientcertificate. FilecontainingadditionalCAcertificatesto usewhenverifyingclientcertificates.Ifunset clientcawillbeused. DirectorycontainingadditionalCAcertificates andCRLliststousewhenverifyingclientcertificates. FileofadditionalCRLliststousewhenverifying theclientcertificate,inadditiontoCRLsstoredin thecapath.ImpliesVERIFY_CRLflagbelow.

version=

cipher= options=

clientca= cafile=

capath= crlfile=

dhparams= FilecontainingDHparametersfortemporary/ephemeral DHkeyexchanges.

# sslflags= VariousflagsmodifyingtheuseofSSL: # DELAYED_AUTH # Don'trequestclientcertificates # immediately,butwaituntilaclprocessing # requiresacertificate(notyetimplemented). # NO_DEFAULT_CA # Don'tusethedefaultCAlistsbuiltin # toOpenSSL. # NO_SESSION_REUSE # Don'tallowforsessionreuse.Eachconnection # willresultinanewSSLsession. # VERIFY_CRL # VerifyCRLlistswhenacceptingclient # certificates. # VERIFY_CRL_ALL # VerifyCRLlistsforallcertificatesinthe # clientcertificatechain. # # sslcontext= SSLsessionIDcontextidentifier. # # vportAcceleratorwithIPbasedvirtualhostsupport. # # vport=NN Asabove,butusesspecifiedportnumberrather # thanthehttps_portnumber.Impliesaccel. # # #Default: #none #TAG:tcp_outgoing_tos # AllowsyoutoselectaTOS/Diffservvaluetomarkoutgoing # connectionswith,basedontheusernameorsourceaddress # makingtherequest. # # tcp_outgoing_tosdsfield[!]aclname... # # Examplewherenormal_service_netusestheTOSvalue0x00 # andnormal_service_netuses0x20 # # aclnormal_service_netsrc10.0.0.0/255.255.255.0 # aclgood_service_netsrc10.0.1.0/255.255.255.0 # tcp_outgoing_tos0x00normal_service_net # tcp_outgoing_tos0x20good_service_net # # TOS/DSCPvaluesreallyonlyhavelocalsignificancesoyoushould # knowwhatyou'respecifying.Formoreinformation,seeRFC2474and # RFC3260. # # TheTOS/DSCPbytemustbeexactlythataoctetvalue0255,or # "default"tousewhateverdefaultyourhosthas.Notethatin

# practiceoftenonlyvalues063isusableasthetwohighestbits # havebeenredefinedforusebyECN(RFC3168). # # Processingproceedsintheorderspecified,andstopsatfirstfully # matchingline. # # Note:TheuseofthisdirectiveusingclientdependentACLsis # incompatiblewiththeuseofserversidepersistentconnections.To # ensurecorrectresultsitisbesttosetserver_persisten_connections # tooffwhenusingthisdirectiveinsuchconfigurations. # #Default: #none #TAG:tcp_outgoing_address # AllowsyoutomaprequeststodifferentoutgoingIPaddresses # basedontheusernameorsourceaddressoftheusermaking # therequest. # # tcp_outgoing_addressipaddr[[!]aclname]... # # Examplewhererequestsfrom10.0.0.0/24willbeforwarded # withsourceaddress10.1.0.1,10.0.2.0/24forwardedwith # sourceaddress10.1.0.2andtherestwillbeforwardedwith # sourceaddress10.1.0.3. # # aclnormal_service_netsrc10.0.0.0/255.255.255.0 # aclgood_service_netsrc10.0.1.0/255.255.255.0 # tcp_outgoing_address10.0.0.1normal_service_net # tcp_outgoing_address10.0.0.2good_service_net # tcp_outgoing_address10.0.0.3 # # Processingproceedsintheorderspecified,andstopsatfirstfully # matchingline. # # Note:TheuseofthisdirectiveusingclientdependentACLsis # incompatiblewiththeuseofserversidepersistentconnections.To # ensurecorrectresultsitisbesttosetserver_persistent_connections # tooffwhenusingthisdirectiveinsuchconfigurations. # #Default: #none #SSLOPTIONS # #TAG:ssl_unclean_shutdown #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption

# # Somebrowsers(especiallyMSIE)bugsoutonSSLshutdown # messages. # #Default: #ssl_unclean_shutdownoff #TAG:ssl_engine #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # TheOpenSSLenginetouse.Youwillneedtosetthisifyou # wouldliketousehardwareSSLaccelerationforexample. # #Default: #none #TAG:sslproxy_client_certificate #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # ClientSSLCertificatetousewhenproxyinghttps://URLs # #Default: #none #TAG:sslproxy_client_key #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # ClientSSLKeytousewhenproxyinghttps://URLs # #Default: #none #TAG:sslproxy_version #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # SSLversionleveltousewhenproxyinghttps://URLs # #Default: #sslproxy_version1 #TAG:sslproxy_options #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # SSLengineoptionstousewhenproxyinghttps://URLs #

#Default: #none #TAG:sslproxy_cipher #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # SSLcipherlisttousewhenproxyinghttps://URLs # #Default: #none #TAG:sslproxy_cafile #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # filecontainingCAcertificatestousewhenverifyingserver # certificateswhileproxyinghttps://URLs # #Default: #none #TAG:sslproxy_capath #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # directorycontainingCAcertificatestousewhenverifying # servercertificateswhileproxyinghttps://URLs # #Default: #none #TAG:sslproxy_flags #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # VariousflagsmodifyingtheuseofSSLwhileproxyinghttps://URLs: # DONT_VERIFY_PEERAcceptcertificateseveniftheyfailto # verify. # NO_DEFAULT_CADon'tusethedefaultCAlistbuiltin # toOpenSSL. # #Default: #none #TAG:sslpassword_program #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablessloption # # SpecifyaprogramusedforenteringSSLkeypassphrases

# whenusingencryptedSSLcertificatekeys.Ifnotspecified # keysmusteitherbeunencrypted,orSquidstartedwiththeN # optiontoallowittoqueryinteractivelyforthepassphrase. # #Default: #none #OPTIONSWHICHAFFECTTHENEIGHBORSELECTIONALGORITHM # #TAG:cache_peer # Tospecifyothercachesinahierarchy,usetheformat: # # cache_peerhostnametypehttpporticpport[options] # # Forexample, # # #proxyicp # #hostnametypeportportoptions # # # cache_peerparent.foo.netparent31283130proxyonlydefault # cache_peersib1.foo.netsibling31283130proxyonly # cache_peersib2.foo.netsibling31283130proxyonly # # type:either'parent','sibling',or'multicast'. # # proxyport:Theportnumberwherethecachelistensforproxy # requests. # # icpport:Usedforqueryingneighborcachesabout # objects.TohaveanonICPneighbor # specify'7'fortheICPportandmakesurethe # neighbormachinehastheUDPechoport # enabledinits/etc/inetd.conffile. # NOTE:Alsorequiresicp_portoptionenabledtosend/receive # requestsviathismethod. # # options:proxyonly # weight=n # ttl=n # noquery # default # roundrobin # carp # multicastresponder # closestonly # nodigest # nonetdbexchange # nodelay

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

login=user:password|PASS|*:password connecttimeout=nn digesturl=url allowmiss maxconn=n htcp htcpoldsquid originserver userhash sourcehash name=xxx monitorurl=url monitorsize=sizespec monitorinterval=seconds monitortimeout=seconds forceddomain=name ssl sslcert=/path/to/ssl/certificate sslkey=/path/to/ssl/key sslversion=1|2|3|4 sslcipher=... ssloptions=... frontendhttps[=on|auto] connectionauth[=on|off|auto] use'proxyonly'tospecifyobjectsfetched fromthiscacheshouldnotbesavedlocally. use'weight=n'toaffecttheselectionofapeer duringanyweightedpeerselectionmechanisms. Theweightmustbeaninteger;defaultis1, largerweightsarefavoredmore. Thisoptiondoesnotaffectparentselectionifapeering protocolisnotinuse. use'ttl=n'tospecifyaIPmulticastTTLtouse whensendinganICPqueriestothisaddress. Onlyusefulwhensendingtoamulticastgroup. Becausewedon'tacceptICPrepliesfromrandom hosts,youmustconfigureothergroupmembersas peerswiththe'multicastresponder'optionbelow. use'noquery'toNOTsendICPqueriestothis neighbor. use'default'ifthisisaparentcachewhichcan beusedasa"lastresort"ifapeercannotbelocated byanyofthepeerselectionmechanisms. Ifspecifiedmorethanonce,onlythefirstisused.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

use'roundrobin'todefineasetofparentswhich shouldbeusedinaroundrobinfashioninthe absenceofanyICPqueries. use'carp'todefineasetofparentswhichshould beusedasaCARParray.Therequestswillbe distributedamongtheparentsbasedontheCARPload balancinghashfunctionbasedontheirweight. 'multicastresponder'indicatesthenamedpeer isamemberofamulticastgroup.ICPquerieswill notbesentdirectlytothepeer,butICPreplies willbeacceptedfromit. 'closestonly'indicatesthat,forICP_OP_MISS replies,we'llonlyforwardCLOSEST_PARENT_MISSes andneverFIRST_PARENT_MISSes. use'nodigest'toNOTrequestcachedigestsfrom thisneighbor. 'nonetdbexchange'disablesrequestingICMP RTTdatabase(NetDB)fromtheneighbor. use'nodelay'topreventaccesstothisneighbor frominfluencingthedelaypools. use'login=user:password'ifthisisapersonal/workgroup proxyandyourparentrequiresproxyauthentication. Note:ThestringcanincludeURLescapes(i.e.%20for spaces).Thisalsomeans%mustbewrittenas%%. use'login=PASS'ifusersmustauthenticateagainst theupstreamproxyorinthecaseofareverseproxy configuration,theoriginwebserver.Thiswillpass theuserscredentialsastheyaretothepeer. Note:TocombinethiswithlocalauthenticationtheBasic authenticationschememustbeused,andbothserversmust sharethesameuserdatabaseasHTTPonlyallowsfor asinglelogin(oneforproxy,onefororiginserver). Alsobewarnedthiswillexposeyourusersproxy passwordtothepeer.USEWITHCAUTION use'login=*:password'topasstheusernametothe upstreamcache,butwithafixedpassword.Thisismeant tobeusedwhenthepeerisinanotheradministrative domain,butitisstillneededtoidentifyeachuser. Thestarcanoptionallybefollowedbysomeextra informationwhichisaddedtotheusername.Thiscan beusedtoidentifythisproxytothepeer,similarto

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

thelogin=username:passwordoptionabove. use'connecttimeout=nn'tospecifyapeer specificconnecttimeout(alsoseethe peer_connect_timeoutdirective) use'digesturl=url'totellSquidtofetchthecache digest(ifdigestsareenabled)forthishostfrom thespecifiedURLratherthantheSquiddefault location. use'allowmiss'todisableSquid'suseofonlyifcached whenforwardingrequeststosiblings.Thisisprimarily usefulwhenicp_hit_staleisusedbythesibling.To extensiveuseofthisoptionmayresultinforwarding loops,andyoushouldavoidhavingtwowaypeerings withthisoption.(forexampletodenypeerusageon requestsfrompeerbydenyingcache_peer_accessifthe sourceisapeer) use'maxconn=n'tolimittheamountofconnectionsSquid mayopentothispeer. use'htcp'tosendHTCP,insteadofICP,queries totheneighbor.Youprobablyalsowantto setthe"icpport"to4827insteadof3130. YoumustalsoallowthisSquidhtcp_accessand http_accessinthepeerSquidconfiguration. use'htcpoldsquid'tosendHTCPtooldSquidversions YoumustalsoallowthisSquidhtcp_accessand http_accessinthepeerSquidconfiguration. 'originserver'causesthisparentpeertobecontactedas aoriginserver.Meanttobeusedinacceleratorsetups. use'userhash'toloadbalanceamongstasetofparents basedontheclientproxy_authoridentusername. use'sourcehash'toloadbalanceamongstasetofparents basedontheclientsourceip. use'name=xxx'ifyouhavemultiplepeersonthesame hostbutdifferentports.Thisnamecanbeusedto differentiatethepeersincache_peer_accessandsimilar directives. use'monitorurl=url'tohaveperiodicallyrequestagiven URLfromthepeer,andonlyconsiderthepeerasalive ifthismonitoringissuccessful(defaultnone)

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

use'monitorsize=min[max]'tolimitthesizerangeof 'monitorurl'repliesconsideredvalid.Defaultsto0to acceptanysizerepliesasvalid. use'monitorinterval=seconds'tochangefrequencyof howoftenthepeerismonitoredwith'monitorurl' (default300fora5minuteinterval).Ifsetto0 thenmonitoringisdisabledevenifaURLisdefined. use'monitortimeout=seconds'tochangethetimeoutof 'monitorurl'.Defaultsto'monitorinterval'. use'forceddomain=name'toforciblysettheHostheader ofrequestsforwardedtothispeer.Usefulinaccelerator setupswheretheserver(peer)expectsacertaindomain nameandusingredirectorstofeedthisdomainname isnotfeasible. use'ssl'toindicateconnectionstothispeershould beSSL/TLSencrypted. use'sslcert=/path/to/ssl/certificate'tospecifyaclient SSLcertificatetousewhenconnectingtothispeer. use'sslkey=/path/to/ssl/key'tospecifytheprivateSSL keycorrespondingtosslcertabove.If'sslkey'isnot specified'sslcert'isassumedtoreferencea combinedfilecontainingboththecertificateandthekey. Notes: OnDebian/Ubuntusystemadefaultsnakeoilcertificateis availablein/etc/sslanduserscanset: cert=/etc/ssl/certs/sslcertsnakeoil.pem and key=/etc/ssl/private/sslcertsnakeoil.key fortesting. usesslversion=1|2|3|4tospecifytheSSLversiontouse whenconnectingtothispeer 1=automatic(default) 2=SSLv2only 3=SSLv3only 4=TLSv1only

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #Default: #none

usesslcipher=...tospecifythelistofvalidSSLciphers tousewhenconnectingtothispeer. usessloptions=...tospecifyvariousSSLengineoptions: NO_SSLv2DisallowtheuseofSSLv2 NO_SSLv3DisallowtheuseofSSLv3 NO_TLSv1DisallowtheuseofTLSv1 Seesrc/ssl_support.cortheOpenSSLdocumentationfor amorecompletelist. usesslcafile=...tospecifyafilecontaining additionalCAcertificatestousewhenverifyingthe peercertificate. usesslcapath=...tospecifyadirectorycontaining additionalCAcertificatestousewhenverifyingthe peercertificate. usesslcrlfile=...tospecifyacertificaterevocation listfiletousewhenverifyingthepeercertificate. usesslflags=...tospecifyvariousflagsmodifyingthe SSLimplementation: DONT_VERIFY_PEER Acceptcertificateseveniftheyfailto verify. NO_DEFAULT_CA Don'tusethedefaultCAlistbuiltin toOpenSSL. usessldomain=tospecifythepeernameasadvertised init'scertificate.Usedforverifyingthecorrectness ofthereceivedpeercertificate.Ifnotspecifiedthe peerhostnamewillbeused. usefrontendhttpstoenablethe"FrontEndHttps:On" headerneededwhenusingSquidasaSSLfrontendinfront ofMicrosoftOWA.SeeMSKBdocumentQ307347fordetails onthisheader.Ifsettoautotheheaderwill onlybeaddediftherequestisforwardedasahttps:// URL. useconnectionauth=offtotellSquidthatthispeerdoes notsupportMicrosoftconnectionorientedauthentication, andanysuchchallengesreceivedfromthereshouldbe ignored.Defaultisautotoautomaticallydeterminethe statusofthepeer.

#TAG:cache_peer_domain # Usetolimitthedomainsforwhichaneighborcachewillbe # queried.Usage: # # cache_peer_domaincachehostdomain[domain...] # cache_peer_domaincachehost!domain # # Forexample,specifying # # cache_peer_domainparent.foo.net .edu # # hastheeffectsuchthatUDPquerypacketsaresentto # 'bigserver'onlywhentherequestedobjectexistsona # serverinthe.edudomain.Prefixingthedomainname # with'!'meansthecachewillbequeriedforobjects # NOTinthatdomain. # # NOTE:*Anynumberofdomainsmaybegivenforacachehost, # eitheronthesameorseparatelines. # *Whenmultipledomainsaregivenforaparticular # cachehost,thefirstmatcheddomainisapplied. # *Cachehostswithnodomainrestrictionsarequeried # forallrequests. # *Therearenodefaults. # *Thereisalsoa'cache_peer_access'tagintheACL # section. # #Default: #none #TAG:cache_peer_access # Similarto'cache_peer_domain'butprovidesmoreflexibilityby # usingACLelements. # # cache_peer_accesscachehostallow|deny[!]aclname... # # Thesyntaxisidenticalto'http_access'andtheotherlistsof # ACLelements.Seethecommentsfor'http_access'below,or # theSquidFAQ(http://www.squidcache.org/FAQ/FAQ10.html). # #Default: #none #TAG:neighbor_type_domain # usage:neighbor_type_domainneighborparent|siblingdomaindomain... # # Modifyingtheneighbortypeforspecificdomainsisnow # possible.Youcantreatsomedomainsdifferentlythanthethe # defaultneighbortypespecifiedonthe'cache_peer'line.

# Normallyitshouldonlybenecessarytolistdomainswhich # shouldbetreateddifferentlybecausethedefaultneighbortype # appliesforhostnameswhichdonotmatchdomainslistedhere. # #EXAMPLE: # cache_peercache.foo.orgparent31283130 # neighbor_type_domaincache.foo.orgsibling.com.net # neighbor_type_domaincache.foo.orgsibling.au.de # #Default: #none #TAG:dead_peer_timeout (seconds) # ThiscontrolshowlongSquidwaitstodeclareapeercache # as"dead."IftherearenoICPrepliesreceivedinthis # amountoftime,Squidwilldeclarethepeerdeadandnot # expecttoreceiveanyfurtherICPreplies.However,it # continuestosendICPqueries,andwillmarkthepeeras # aliveuponreceiptofthefirstsubsequentICPreply. # # ThistimeoutalsoaffectswhenSquidexpectstoreceiveICP # repliesfrompeers.Ifmorethan'dead_peer'secondshave # passedsincethelastICPreplywasreceived,Squidwillnot # expecttoreceiveanICPreplyonthenextquery.Thus,if # yourtimebetweenrequestsisgreaterthanthistimeout,you # willseealotofrequestssentDIRECTtooriginservers # insteadoftoyourparents. # #Default: #dead_peer_timeout10seconds #TAG:hierarchy_stoplist # Alistofwordswhich,iffoundinaURL,causetheobjectto # behandleddirectlybythiscache.Inotherwords,usethis # tonotqueryneighborcachesforcertainobjects.Youmay # listthisoptionmultipletimes.Note:never_directoverrides # thisoption. #Werecommendyoutouseatleastthefollowingline. hierarchy_stoplistcgibin? #MEMORYCACHEOPTIONS # #TAG:cache_mem (bytes) # NOTE:THISPARAMETERDOESNOTSPECIFYTHEMAXIMUMPROCESSSIZE. # ITONLYPLACESALIMITONHOWMUCHADDITIONALMEMORYSQUIDWILL # USEASAMEMORYCACHEOFOBJECTS.SQUIDUSESMEMORYFOROTHER # THINGSASWELL.SEETHESQUIDFAQSECTION8FORDETAILS. #

# 'cache_mem'specifiestheidealamountofmemorytobeused # for: # *InTransitobjects # *HotObjects # *NegativeCachedobjects # # Datafortheseobjectsarestoredin4KBblocks.This # parameterspecifiestheidealupperlimitonthetotalsizeof # 4KBblocksallocated.InTransitobjectstakethehighest # priority. # # Intransitobjectshavepriorityovertheothers.When # additionalspaceisneededforincomingdata,negativecached # andhotobjectswillbereleased.Inotherwords,the # negativecachedandhotobjectswillfillupanyunusedspace # notneededforintransitobjects. # # Ifcircumstancesrequire,thislimitwillbeexceeded. # Specifically,ifyourincomingrequestraterequiresmorethan # 'cache_mem'ofmemorytoholdintransitobjects,Squidwill # exceedthislimittosatisfythenewrequests.Whentheload # decreases,blockswillbefreeduntilthehighwatermarkis # reached.Thereafter,blockswillbeusedtostorehot # objects. # #Default: #cache_mem8MB #TAG:maximum_object_size_in_memory(bytes) # Objectsgreaterthanthissizewillnotbeattemptedtokeptin # thememorycache.Thisshouldbesethighenoughtokeepobjects # accessedfrequentlyinmemorytoimproveperformancewhilstlow # enoughtokeeplargerobjectsfromhoardingcache_mem. # #Default: #maximum_object_size_in_memory8KB #TAG:memory_replacement_policy # Thememoryreplacementpolicyparameterdetermineswhich # objectsarepurgedfrommemorywhenmemoryspaceisneeded. # # Seecache_replacement_policyfordetails. # #Default: #memory_replacement_policylru #DISKCACHEOPTIONS #

#TAG:cache_replacement_policy # Thecachereplacementpolicyparameterdetermineswhich # objectsareevicted(replaced)whendiskspaceisneeded. # # lru:Squid'soriginallistbasedLRUpolicy # heapGDSF:GreedyDualSizeFrequency # heapLFUDA:LeastFrequentlyUsedwithDynamicAging # heapLRU:LRUpolicyimplementedusingaheap # # Appliestoanycache_dirlineslistedbelowthis. # # TheLRUpolicieskeepsrecentlyreferencedobjects. # # TheheapGDSFpolicyoptimizesobjecthitratebykeepingsmaller # popularobjectsincachesoithasabetterchanceofgettinga # hit.ItachievesalowerbytehitratethanLFUDAthoughsince # itevictslarger(possiblypopular)objects. # # TheheapLFUDApolicykeepspopularobjectsincacheregardlessof # theirsizeandthusoptimizesbytehitrateattheexpenseof # hitratesinceonelarge,popularobjectwillpreventmany # smaller,slightlylesspopularobjectsfrombeingcached. # # Bothpoliciesutilizeadynamicagingmechanismthatprevents # cachepollutionthatcanotherwiseoccurwithfrequencybased # replacementpolicies. # # NOTE:ifusingtheLFUDAreplacementpolicyyoushouldincrease # thevalueofmaximum_object_sizeaboveitsdefaultof4096KBto # tomaximizethepotentialbytehitrateimprovementofLFUDA. # # FormoreinformationabouttheGDSFandLFUDAcachereplacement # policiesseehttp://www.hpl.hp.com/techreports/1999/HPL199969.html # andhttp://fog.hpl.external.hp.com/techreports/98/HPL98173.html. # #Default: #cache_replacement_policylru #TAG:cache_dir # Usage: # # cache_dirTypeDirectoryNameFsspecificdata[options] # # Youcanspecifymultiplecache_dirlinestospreadthe # cacheamongdifferentdiskpartitions. # # Typespecifiesthekindofstoragesystemtouse.Only"ufs" # isbuiltbydefault.Toenableanyoftheotherstoragesystems # seetheenablestoreioconfigureoption. #

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

'Directory'isatopleveldirectorywherecacheswap fileswillbestored.Ifyouwanttouseanentiredisk forcaching,thiscanbethemountpointdirectory. ThedirectorymustexistandbewritablebytheSquid process.SquidwillNOTcreatethisdirectoryforyou. OnlyusingCOSS,arawdiskdeviceorastripefilecan bespecified,buttheconfigurationofthe"cache_swap_log" tagismandatory. Theufsstoretype: "ufs"istheoldwellknownSquidstorageformatthathasalways beenthere. cache_dirufsDirectoryNameMbytesL1L2[options] 'Mbytes'istheamountofdiskspace(MB)touseunderthis directory.Thedefaultis100MB.Changethistosuityour configuration.DoNOTputthesizeofyourdiskdrivehere. Instead,ifyouwantSquidtousetheentirediskdrive, subtract20%andusethatvalue. 'Level1'isthenumberoffirstlevelsubdirectorieswhich willbecreatedunderthe'Directory'.Thedefaultis16. 'Level2'isthenumberofsecondlevelsubdirectorieswhich willbecreatedundereachfirstleveldirectory.Thedefault is256. Theaufsstoretype: "aufs"usesthesamestorageformatas"ufs",utilizing POSIXthreadstoavoidblockingthemainSquidprocesson diskI/O.ThiswasformerlyknowninSquidasasyncio. cache_diraufsDirectoryNameMbytesL1L2[options] seeargumentdescriptionsunderufsabove Thediskdstoretype: "diskd"usesthesamestorageformatas"ufs",utilizinga separateprocesstoavoidblockingthemainSquidprocesson diskI/O. cache_dirdiskdDirectoryNameMbytesL1L2[options][Q1=n][Q2=n] seeargumentdescriptionsunderufsabove Q1specifiesthenumberofunacknowledgedI/OrequestswhenSquid

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

stopsopeningnewfiles.Ifthismanymessagesareinthequeues, Squidwon'topennewfiles.Defaultis64 Q2specifiesthenumberofunacknowledgedmessageswhenSquid startsblocking.Ifthismanymessagesareinthequeues, Squidblocksuntilitreceivessomereplies.Defaultis72 WhenQ1<Q2(thedefault),thecachedirectoryisoptimized forlowerresponsetimeattheexpenseofadecreaseinhit ratio.IfQ1>Q2,thecachedirectoryisoptimizedfor higherhitratioattheexpenseofanincreaseinresponse time. Thecossstoretype: blocksize=ndefinesthe"blocksize"forCOSScache_dir's. Squidusesfilenumbersasblocknumbers.Sincefilenumbers arelimitedto24bits,theblocksizedeterminesthemaximum sizeoftheCOSSpartition.Thedefaultis512bytes,which leadstoamaximumcache_dirsizeof512<<24,or8GB.Note youshouldnotchangetheCOSSblocksizeafterSquid haswrittensomeobjectstothecache_dir. overwritepercent=ndefinesthepercentageofdiskthatCOSS mustwritetobeforeagivenobjectwillbemovedtothe currentstripe.Avalueof"n"closerto100willcauseCOSS towastelessdiskspacebyhavingmultiplecopiesofanobject ondisk,butwillincreasethechancesofoverwritingapopular objectasCOSSoverwritesstripes.Avalueof"n"closeto0 willcauseCOSStokeepallcurrentobjectsinthecurrentCOSS stripeattheexpenseofthehitrate.Thedefaultvalueof50 willallowanygivenobjecttobestoredondiskamaximumof 2times. maxstripewaste=ndefinesthemaximumamountofspacethatCOSS willwasteinagivenstripe(inbytes).WhenCOSSwritesdata todisk,itwillpotentiallywasteupto"maxsize"worthofdisk spaceforeach1MBofdatawritten.If"maxsize"issettoa largevalue(ie>256k),thiscouldpotentiallyresultinlarge amountsofwasteddiskspace.Settingthisvaluetoalowervalue (ie64kor32k)willresultinaCOSSdiskrefusingtocache largerobjectsuntiltheCOSSstripehasbeenfilledtowithin "maxstripewaste"ofthemaximumsize(1MB). membufs=ndefinesthenumberof"memoryonly"stripesthatCOSS willuse.WhenancachehitisperformedonaCOSSstripebefore COSShasreachedtheoverwritepercentvalueforthatobject, COSSwilluseaseriesofmemorybufferstoholdtheobjectin whilethedataissenttotheclient.Thiswilldefinethemaximum numberofmemoryonlybuffersthatCOSSwilluse.Thedefaultvalue

# is10,whichwilluseamaximumof10MBofmemoryforbuffers. # # maxfullbufs=ndefinesthemaximumnumberofstripesaCOSSpartition # willhaveinmemorywaitingtobefreed(eitherbecausethediskis # underloadandthestripeisunwritten,orbecauseclientsarestill # transferringdatafromobjectsusingthememory).Inordertotry # andmaintainagoodhitrateunderload,COSSwillreservethelast # 2fullstripesforobjecthits.(ieaCOSScache_dirwillreject # newobjectswhenthenumberoffullstripesis2lessthanmaxfullbufs) # # Thenullstoretype: # # nooptionsareallowedorrequired # # Commonoptions: # # readonly,nonewobjectsshouldbestoredtothiscache_dir # # minsize=n,referstotheminobjectsizethisstoredirwillaccept. # It'susedtorestrictastoredirtoonlystorelargeobjects # (e.g.aufs)whileotherstoredirsareoptimizedforsmallerobjects # (e.g.COSS).Defaultsto0. # # maxsize=n,referstothemaxobjectsizethisstoredirsupports. # Itisusedtoinitiallychoosethestoredirtodumptheobject. # Note:Tomakeoptimaluseofthemaxsizelimitsyoushouldorder # thecache_dirlineswiththesmallestmaxsizevaluefirstandthe # oneswithnomaxsizespecificationlast. # # Notethatforcoss,maxsizemustbelessthanCOSS_MEMBUF_SZ # (hardcodedat1MB). # #Default: #cache_dirufs/var/spool/squid10016256 #TAG:store_dir_select_algorithm # Setthisto'roundrobin'asanalternative. # #Default: #store_dir_select_algorithmleastload #TAG:max_open_disk_fds # ToavoidhavingdiskastheI/ObottleneckSquidcanoptionally # bypasstheondiskcacheifmorethanthisamountofdiskfile # descriptorsareopen. # # Avalueof0indicatesnolimit. # #Default: #max_open_disk_fds0

#TAG:minimum_object_size (bytes) # ObjectssmallerthanthissizewillNOTbesavedondisk.The # valueisspecifiedinkilobytes,andthedefaultis0KB,which # meansthereisnominimum. # #Default: #minimum_object_size0KB #TAG:maximum_object_size (bytes) # ObjectslargerthanthissizewillNOTbesavedondisk.The # valueisspecifiedinkilobytes,andthedefaultis4MB.If # youwishtogetahighBYTEShitratio,youshouldprobably # increasethis(one32MBobjecthitcountsfor320010KB # hits).Ifyouwishtoincreasespeedmorethanyourwantto # savebandwidthyoushouldleavethislow. # # NOTE:ifusingtheLFUDAreplacementpolicyyoushouldincrease # thisvaluetomaximizethebytehitrateimprovementofLFUDA! # Seereplacement_policybelowforadiscussionofthispolicy. # #Default: #maximum_object_size4096KB #TAG:cache_swap_low (percent,0100) #TAG:cache_swap_high (percent,0100) # # Thelowandhighwatermarksforcacheobjectreplacement. # Replacementbeginswhentheswap(disk)usageisabovethe # lowwatermarkandattemptstomaintainutilizationnearthe # lowwatermark.Asswaputilizationgetsclosetohighwater # markobjectevictionbecomesmoreaggressive.Ifutilizationis # closetothelowwatermarklessreplacementisdoneeachtime. # # Defaultsare90%and95%.Ifyouhavealargecache,5%couldbe # hundredsofMB.Ifthisisthecaseyoumaywishtosetthese # numbersclosertogether. # #Default: #cache_swap_low90 #cache_swap_high95 #LOGFILEOPTIONS # #TAG:logformat # Usage: # # logformat<name><formatspecification>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Definesanaccesslogformat. The<formatspecification>isastringwithembedded%formatcodes %formatcodesallfollowthesamebasicstructurewhereallbut theformatcodeisoptional.Outputstringsareautomaticallyescaped asrequiredaccordingtotheircontextandtheoutputformat modifiersareusuallynotneeded,butcanbespecifiedifanexplicit outputformatisdesired. %["|[|'|#][][[0]width][{argument}]formatcode " [ # ' outputinquotedstringformat outputinsquidtextlogformatasusedbylog_mime_hdrs outputinURLquotedformat outputasis

leftaligned width fieldwidth.Ifstartingwith0the outputiszeropadded {arg} argumentsuchasheadernameetc Formatcodes: >a >A >p <A la lp ts tu tl tg tr >h <h un ul ui us ue Hs Ss Sh ClientsourceIPaddress ClientFQDN Clientsourceport ServerIPaddressorpeername LocalIPaddress(http_port) Localportnumber(http_port) Secondssinceepoch subsecondtime(milliseconds) Localtime.Optionalstrftimeformatargument default%d/%b/%Y:%H:%M:%S%z GMTtime.Optionalstrftimeformatargument default%d/%b/%Y:%H:%M:%S%z Responsetime(milliseconds) Requestheader.Optionalheadernameargument ontheformatheader[:[separator]element] Replyheader.Optionalheadernameargument asfor>h Username Usernamefromauthentication Usernamefromident UsernamefromSSL Usernamefromexternalaclhelper HTTPstatuscode Squidrequeststatus(TCP_MISSetc) Squidhierarchystatus(DEFAULT_PARENTetc)

# mt MIMEcontenttype # rm Requestmethod(GET/POSTetc) # ru RequestURL # rv Requestprotocolversion # ea Logstringreturnedbyexternalacl # <st ReplysizeincludingHTTPheaders # >st RequestsizeincludingHTTPheaders # st Request+ReplysizeincludingHTTPheaders # % aliteral%character # #logformatsquid%ts.%03tu%6tr%>a%Ss/%03Hs%<st%rm%ru%un%Sh/%<A%mt #logformatsquidmime%ts.%03tu%6tr%>a%Ss/%03Hs%<st%rm%ru%un%Sh/%<A%mt [%>h][%<h] #logformatcommon%>a%ui%un[%tl]"%rm%ruHTTP/%rv"%Hs%<st%Ss:%Sh #logformatcombined%>a%ui%un[%tl]"%rm%ruHTTP/%rv"%Hs%<st"%{Referer}>h""% {UserAgent}>h"%Ss:%Sh # #Default: #none #TAG:access_log # Thesefileslogclientrequestactivities.HasalineeveryHTTPor # ICPrequest.Theformatis: # access_log<filepath>[<logformatname>[aclacl...]] # access_lognone[aclacl...]] # # Willlogtothespecifiedfileusingthespecifiedformat(which # mustbedefinedinalogformatdirective)thoseentrieswhichmatch # ALLtheacl'sspecified(whichmustbedefinedinaclclauses). # Ifnoaclisspecified,allrequestswillbeloggedtothisfile. # # Todisableloggingofarequestusethefilepath"none",inwhichcase # alogformatnameshouldnotbespecified. # # Tologtherequestviasyslogspecifyafilepathof"syslog": # # access_logsyslog[:facility.priority][format[acl1[acl2....]]] # wherefacilitycouldbeanyof: # authpriv,daemon,local0..local7oruser. # # Andprioritycouldbeanyof: # err,warning,notice,info,debug. # # Note:2.6.STABLE14andearlieronlysupportsaslightlydifferent # andundocumentedformatwithalluppercaseLOG_FACILITY|LOG_PRIORITY access_log/var/log/squid/access.logsquid #TAG:log_access allow|denyaclacl... # Thisoptionsallowsyoutocontrolwhichrequestsgetslogged # toaccess.log(seeaccess_logdirective).Requestsdeniedfor

# loggingwillalsonotbeaccountedforinperformancecounters. # #Default: #none #TAG:cache_log # Cacheloggingfile.Thisiswheregeneralinformationabout # yourcache'sbehaviorgoes.Youcanincreasetheamountofdata # loggedtothisfilewiththe"debug_options"tagbelow. # #Default: #cache_log/var/log/squid/cache.log #TAG:cache_store_log # Logstheactivitiesofthestoragemanager.Showswhich # objectsareejectedfromthecache,andwhichobjectsare # savedandforhowlong.Todisable,enter"none".Thereare # notreallyutilitiestoanalyzethisdata,soyoucansafely # disableit. # #Default: #cache_store_log/var/log/squid/store.log #TAG:cache_swap_state # Locationforthecache"swap.state"file.Thisindexfileholds # themetadataofobjectssavedondisk.Itisusedtorebuild # thecacheduringstartup.Normallythisfileresidesineach # 'cache_dir'directory,butyoumayspecifyanalternate # pathnamehere.Noteyoumustgiveafullfilename,notjust # adirectory.Sincethisistheindexforthewholeobject # listyouCANNOTperiodicallyrotateit! # # If%scanbeusedinthefilenameitwillbereplacedwitha # arepresentationofthecache_dirnamewhereeach/isreplaced # with'.'.Thisisneededtoallowadding/removingcache_dir # lineswhencache_swap_logisbeingused. # # Ifhavemorethanone'cache_dir',and%sisnotusedinthename # theseswaplogswillhavenamessuchas: # # cache_swap_log.00 # cache_swap_log.01 # cache_swap_log.02 # # Thenumberedextension(whichisaddedautomatically) # correspondstotheorderofthe'cache_dir'linesinthis # configurationfile.Ifyouchangetheorderofthe'cache_dir' # linesinthisfile,theseindexfileswillNOTcorrespondto # thecorrect'cache_dir'entry(unlessyoumanuallyrename # them).WerecommendyoudoNOTusethisoption.Itis

# bettertokeeptheseindexfilesineach'cache_dir'directory. # #Default: #none #TAG:logfile_rotate # Specifiesthenumberoflogfilerotationstomakewhenyou # type'squidkrotate'.Thedefaultis10,whichwillrotate # withextensions0through9.Settinglogfile_rotateto0will # disablethefilenamerotation,butthelogfilesarestillclosed # andreopened.Thiswillenableyoutorenamethelogfiles # yourselfjustbeforesendingtherotatesignal. # # Note,the'squidkrotate'commandnormallysendsaUSR1 # signaltotherunningsquidprocess.Incertainsituations # (e.g.onLinuxwithAsyncI/O),USR1isusedforother # purposes,sokrotateusesanothersignal.Itisbesttoget # inthehabitofusing'squidkrotate'insteadof'killUSR1 # <pid>'. # # Note2,forDebian/Linuxthedefaultoflogfile_rotateis # zero,sinceitincludesexternallogfilerotationmethods. # #Default: #logfile_rotate0 #TAG:emulate_httpd_log on|off # TheCachecanemulatethelogfileformatwhichmany'httpd' # programsuse.Todisable/enablethisemulation,set # emulate_httpd_logto'off'or'on'.Thedefault # istousethenativelogformatsinceitincludesuseful # informationSquidspecificloganalyzersuse. # #Default: #emulate_httpd_logoff #TAG:log_ip_on_direct on|off # LogthedestinationIPaddressinthehierarchylogtagwhengoing # direct.EarlierSquidversionsloggedthehostnamehere.Ifyou # prefertheoldwaysetthistooff. # #Default: #log_ip_on_directon #TAG:mime_table # PathnametoSquid'sMIMEtable.Youshouldn'tneedtochange # this,butthedefaultfilecontainsexamplesandformatting # informationifyoudo. # #Default:

#mime_table/usr/share/squid/mime.conf #TAG:log_mime_hdrs on|off # TheCachecanrecordboththerequestandtheresponseMIME # headersforeachHTTPtransaction.Theheadersareencoded # safelyandwillappearastwobracketedfieldsattheendof # theaccesslog(foreitherthenativeorhttpdemulatedlog # formats).Toenablethisloggingsetlog_mime_hdrsto'on'. # #Default: #log_mime_hdrsoff #TAG:useragent_log # SquidwillwritetheUserAgentfieldfromHTTPrequests # tothefilenamespecifiedhere.Bydefaultuseragent_log # isdisabled. # #Default: #none #TAG:referer_log # SquidwillwritetheRefererfieldfromHTTPrequeststothe # filenamespecifiedhere.Bydefaultreferer_logisdisabled. # Notethat"referer"isactuallyamisspellingof"referrer" # howeverthemisspeltversionhasbeenacceptedintotheHTTPRFCs # andweacceptboth. # #Default: #none #TAG:pid_filename # Afilenametowritetheprocessidto.Todisable,enter"none". # #Default: #pid_filename/var/run/squid.pid #TAG:debug_options # Loggingoptionsaresetassection,levelwhereeachsourcefile # isassignedauniquesection.Lowerlevelsresultinless # output,Fulldebugging(level9)canresultinaverylarge # logfile,sobecareful.Themagicword"ALL"setsdebugging # levelsforallsections.Werecommendnormallyrunningwith # "ALL,1". # #Default: #debug_optionsALL,1 #TAG:log_fqdn on|off # Turnthisonifyouwishtologfullyqualifieddomainnames # intheaccess.log.TodothisSquiddoesaDNSlookupofall

# IP'sconnectingtoit.Thiscan(insomesituations)increase # latency,whichmakesyourcacheseemslowerforinteractive # browsing. # #Default: #log_fqdnoff #TAG:client_netmask # Anetmaskforclientaddressesinlogfilesandcachemgroutput. # Changethistoprotecttheprivacyofyourcacheclients. # Anetmaskof255.255.255.0willlogallIP'sinthatrangewith # thelastdigitsetto'0'. # #Default: #client_netmask255.255.255.255 #TAG:forward_log #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enableforwardlogoption # # Logstheserversiderequests. # # Thisiscurrentlyworkinprogress. # #Default: #none #TAG:strip_query_terms # Bydefault,SquidstripsquerytermsfromrequestedURLsbefore # logging.Thisprotectsyouruser'sprivacy. # #Default: #strip_query_termson #TAG:buffered_logs on|off # cache.loglogfileiswrittenwithstdiofunctions,andassuch # itcanbebufferedorunbuffered.Bydefaultitwillbeunbuffered. # Bufferingitcanspeedupthewritingslightly(thoughyouare # unlikelytoneedtoworryunlessyourunwithtonsofdebugging # enabledinwhichcaseperformancewillsufferbadlyanyway..). # #Default: #buffered_logsoff #OPTIONSFORFTPGATEWAYING # #TAG:ftp_user # Ifyouwanttheanonymousloginpasswordtobemoreinformative

# (andenabletheuseofpickyftpservers),setthistosomething # reasonableforyourdomain,likewwwuser@somewhere.net # # Thereasonwhythisisdomainlessbydefaultisthe # requestcanbemadeonthebehalfofauserinanydomain, # dependingonhowthecacheisused. # Someftpserveralsovalidatetheemailaddressisvalid # (forexampleperl.com). # #Default: #ftp_userSquid@ #TAG:ftp_list_width # Setsthewidthofftplistings.Thisshouldbesettofitin # thewidthofastandardbrowser.Settingthistoosmall # cancutofflongfilenameswhenbrowsingftpsites. # #Default: #ftp_list_width32 #TAG:ftp_passive # IfyourfirewalldoesnotallowSquidtousepassive # connections,turnoffthisoption. # #Default: #ftp_passiveon #TAG:ftp_sanitycheck # ForsecurityanddataintegrityreasonsSquidbydefaultperforms # sanitychecksoftheaddressesofFTPdataconnectionsensurethe # dataconnectionistotherequestedserver.Ifyouneedtoallow # FTPconnectionstoserversusinganotherIPaddressforthedata # connectionturnthisoff. # #Default: #ftp_sanitycheckon #TAG:ftp_telnet_protocol # TheFTPprotocolisofficiallydefinedtousethetelnetprotocol # astransportchannelforthecontrolconnection.However,many # implementationsarebrokenanddoesnotrespectthisaspectof # theFTPprotocol. # # IfyouhavetroubleaccessingfileswithASCIIcode255inthe # pathorsimilarproblemsinvolvingthisASCIIcodeyoucan # trysettingthisdirectivetooff.Ifthathelps,reporttothe # operatoroftheFTPserverinquestionthattheirFTPserver # isbrokenanddoesnotfollowtheFTPstandard. # #Default:

#ftp_telnet_protocolon #OPTIONSFOREXTERNALSUPPORTPROGRAMS # #TAG:diskd_program # Specifythelocationofthediskdexecutable. # Notethisisonlyusefulifyouhavecompiledin # diskdasoneofthestoreiomodules. # #Default: #diskd_program/usr/lib/squid/diskddaemon #TAG:unlinkd_program # Specifythelocationoftheexecutableforfiledeletionprocess. # #Default: #unlinkd_program/usr/lib/squid/unlinkd #TAG:pinger_program #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enableicmpoption # # Specifythelocationoftheexecutableforthepingerprocess. # #Default: #pinger_program/usr/lib/squid/pinger #OPTIONSFORURLREWRITING # #TAG:url_rewrite_program # SpecifythelocationoftheexecutablefortheURLrewriter. # Sincetheycanperformalmostanyfunctionthereisn'toneincluded. # # ForeachrequestedURLrewriterwillreceiveonlinewiththeformat # # URL<SP>client_ip"/"fqdn<SP>user<SP>method<SP>urlgroup<NL> # # AndtherewritermayreturnarewrittenURL.Theothercomponentsof # therequestlinedoesnotneedtobereturned(ignorediftheyare). # # Therewritercanalsoindicatethataclientsideredirectshould # beperformedtothenewURL.Thisisdonebyprefixingthereturned # URLwith"301:"(movedpermanently)or302:(movedtemporarily). # # Itcanalsoreturna"urlgroup"thatcansubsequentlybematched # incache_peer_accessandsimilarACLdrivenrules.Anurlgroupis

# returnedbyprefixingthereturnedURLwith"!urlgroup!". # # Bydefault,aURLrewriterisnotused. # #Default: #none #TAG:url_rewrite_children # Thenumberofredirectorprocessestospawn.Ifyoustart # toofewSquidwillhavetowaitforthemtoprocessabacklogof # URLs,slowingitdown.IfyoustarttoomanytheywilluseRAM # andothersystemresources. # #Default: #url_rewrite_children5 #TAG:url_rewrite_concurrency # Thenumberofrequestseachredirectorhelpercanhandlein # parallel.Defaultsto0whichindicatestheredirector # isaoldstylesinglethreadedredirector. # # Whenthisdirectiveissettoavalue>=1thentheprotocol # usedtocommunicatewiththehelperismodifiedtoinclude # arequestIDinfrontoftherequest/response.Therequest # IDfromtherequestmustbeechoedbackwiththeresponse # tothatrequest. # #Default: #url_rewrite_concurrency0 #TAG:url_rewrite_host_header # BydefaultSquidrewritesanyHost:headerinredirected # requests.Ifyouarerunninganacceleratorthismay # notbeawantedeffectofaredirector. # # WARNING:EntriesarecachedontheresultoftheURLrewriting # process,sobecarefulifyouhavedomainvirtualhosts. # #Default: #url_rewrite_host_headeron #TAG:url_rewrite_access # Ifdefined,thisaccesslistspecifieswhichrequestsare # senttotheredirectorprocesses.Bydefaultallrequests # aresent. # #Default: #none #TAG:redirector_bypass

# Whenthisis'on',arequestwillnotgothroughthe # redirectorifallredirectorsarebusy.Ifthisis'off' # andtheredirectorqueuegrowstoolarge,Squidwillexit # withaFATALerrorandaskyoutoincreasethenumberof # redirectors.Youshouldonlyenablethisiftheredirectors # arenotcriticaltoyourcachingsystem.Ifyouuse # redirectorsforaccesscontrol,andyouenablethisoption, # usersmayhaveaccesstopagestheyshouldnot # beallowedtorequest. # #Default: #redirector_bypassoff #TAG:location_rewrite_program # SpecifythelocationoftheexecutablefortheLocationrewriter, # usedtorewriteservergeneratedredirects.Usuallyusedin # conjunctionwithaurl_rewrite_program # # ForeachLocationheaderreceivedthelocationrewriterwillreceive # onelinewiththeformat: # # locationURL<SP>requestedURL<SP>urlgroup<NL> # # AndtherewritermayreturnarewrittenLocationURLorablankline. # Theothercomponentsoftherequestlinedoesnotneedtobereturned # (ignorediftheyare). # # Bydefault,aLocationrewriterisnotused. # #Default: #none #TAG:location_rewrite_children # Thenumberoflocationrewritingprocessestospawn.Ifyoustart # toofewSquidwillhavetowaitforthemtoprocessabacklogof # URLs,slowingitdown.IfyoustarttoomanytheywilluseRAM # andothersystemresources. # #Default: #location_rewrite_children5 #TAG:location_rewrite_concurrency # ThenumberofrequestseachLocationrewriterhelpercanhandlein # parallel.Defaultsto0whichindicatesthatthehelper # isaoldstylesinglethreadedhelper. # #Default: #location_rewrite_concurrency0 #TAG:location_rewrite_access

# Ifdefined,thisaccesslistspecifieswhichrequestsare # senttothelocationrewritingprocesses.BydefaultallLocation # headersaresent. # #Default: #none #OPTIONSFORTUNINGTHECACHE # #TAG:cache # AlistofACLelementswhich,ifmatched,causetherequestto # notbesatisfiedfromthecacheandthereplytonotbecached. # Inotherwords,usethistoforcecertainobjectstoneverbecached. # # Youmustusetheword'DENY'toindicatetheACLnameswhichshould # NOTbecached. # # Defaultistoallowalltobecached #Werecommendyoutousethefollowingtwolines. aclQUERYurlpath_regexcgibin\? cachedenyQUERY #TAG:refresh_pattern # usage:refresh_pattern[i]regexminpercentmax[options] # # Bydefault,regularexpressionsareCASESENSITIVE.Tomake # themcaseinsensitive,usetheioption. # # 'Min'isthetime(inminutes)anobjectwithoutanexplicit # expirytimeshouldbeconsideredfresh.Therecommended # valueis0,anyhighervaluesmaycausedynamicapplications # tobeerroneouslycachedunlesstheapplicationdesigner # hastakentheappropriateactions. # # 'Percent'isapercentageoftheobjectsage(timesincelast # modificationage)anobjectwithoutexplicitexpirytime # willbeconsideredfresh. # # 'Max'isanupperlimitonhowlongobjectswithoutanexplicit # expirytimewillbeconsideredfresh. # # options:overrideexpire # overridelastmod # reloadintoims # ignorereload # ignorenocache # ignoreprivate # ignoreauth

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

overrideexpireenforcesminageeveniftheserver sentaExpires:header.DoingthisVIOLATEStheHTTP standard.Enablingthisfeaturecouldmakeyouliable forproblemswhichitcauses. overridelastmodenforcesminageevenonobjects thatweremodifiedrecently. reloadintoimschangesclientnocacheor``reload'' toIfModifiedSincerequests.DoingthisVIOLATESthe HTTPstandard.Enablingthisfeaturecouldmakeyou liableforproblemswhichitcauses. ignorereloadignoresaclientnocacheor``reload'' header.DoingthisVIOLATEStheHTTPstandard.Enabling thisfeaturecouldmakeyouliableforproblemswhich itcauses. ignorenocacheignoresany``Pragma:nocache''and ``Cachecontrol:nocache''headersreceivedfromaserver. TheHTTPRFCneverallowstheuseofthis(Pragma)header fromaserver,onlyaclient,thoughplentyofservers senditanyway. ignoreprivateignoresany``Cachecontrol:private'' headersreceivedfromaserver.DoingthisVIOLATES theHTTPstandard.Enablingthisfeaturecouldmakeyou liableforproblemswhichitcauses. ignoreauthcachesresponsestorequestswithauthorization, asiftheoriginserverhadsent``Cachecontrol:public'' intheresponseheader.DoingthisVIOLATEStheHTTPstandard. Enablingthisfeaturecouldmakeyouliableforproblemswhich itcauses. Basicallyacachedobjectis: FRESHifexpires<now,elseSTALE STALEifage>max FRESHiflmfactor<percent,elseSTALE FRESHifage<min elseSTALE Therefresh_patternlinesarecheckedintheorderlistedhere. Thefirstentrywhichmatchesisused.Ifnoneoftheentries matchthedefaultwillbeused. Note,youmustuncommentallthedefaultlinesifyouwant tochangeone.Thedefaultsettingisonlyactiveifnoneis

# used. # #Suggesteddefault: refresh_pattern^ftp: refresh_pattern^gopher: refresh_pattern.

1440 1440 0

20% 0% 20%

10080 1440 4320

#TAG:quick_abort_min (KB) #TAG:quick_abort_max (KB) #TAG:quick_abort_pct (percent) # Thecachebydefaultcontinuesdownloadingabortedrequests # whicharealmostcompleted(lessthan16KBremaining).This # maybeundesirableonslow(e.g.SLIP)linksand/orverybusy # caches.Impatientusersmaytieupfiledescriptorsand # bandwidthbyrepeatedlyrequestingandimmediatelyaborting # downloads. # # Whentheuserabortsarequest,Squidwillcheckthe # quick_abortvaluestotheamountofdatatransfereduntil # then. # # Ifthetransferhaslessthan'quick_abort_min'KBremaining, # itwillfinishtheretrieval. # # Ifthetransferhasmorethan'quick_abort_max'KBremaining, # itwillaborttheretrieval. # # Ifmorethan'quick_abort_pct'ofthetransferhascompleted, # itwillfinishtheretrieval. # # Ifyoudonotwantanyretrievaltocontinueaftertheclient # hasaborted,setboth'quick_abort_min'and'quick_abort_max' # to'0KB'. # # Ifyouwantretrievalstoalwayscontinueiftheyarebeing # cachedset'quick_abort_min'to'1KB'. # #Default: #quick_abort_min16KB #quick_abort_max16KB #quick_abort_pct95 #TAG:read_ahead_gap buffersize # Theamountofdatathecachewillbufferaheadofwhathasbeen # senttotheclientwhenretrievinganobjectfromanotherserver. # #Default: #read_ahead_gap16KB #TAG:negative_ttl timeunits

# TimetoLive(TTL)forfailedrequests.Certaintypesof # failures(suchas"connectionrefused"and"404NotFound")are # negativelycachedforaconfigurableamountoftime.The # defaultis5minutes.Notethatthisisdifferentfrom # negativecachingofDNSlookups. # #Default: #negative_ttl5minutes #TAG:positive_dns_ttl timeunits # UpperlimitonhowlongSquidwillcachepositiveDNSresponses. # Defaultis6hours(360minutes).Thisdirectivemustbeset # largerthannegative_dns_ttl. # #Default: #positive_dns_ttl6hours #TAG:negative_dns_ttl timeunits # TimetoLive(TTL)fornegativecachingoffailedDNSlookups. # Thisalsosetsthelowercachelimitonpositivelookups. # Minimumvalueis1second,anditisnotrecommendabletogo # muchbelow10seconds. # #Default: #negative_dns_ttl1minute #TAG:range_offset_limit (bytes) # SetsaupperlimitonhowfarintothethefileaRangerequest # maybetocauseSquidtoprefetchthewholefile.Ifbeyondthis # limitSquidforwardstheRangerequestasitisandtheresult # isNOTcached. # # Thisistostopafaraheadrangerequest(letssaystartat17MB) # frommakingSquidfetchthewholeobjectuptothatpointbefore # sendinganythingtotheclient. # # Avalueof1causesSquidtoalwaysfetchtheobjectfromthe # beginningsoitmaycachetheresult.(2.0style) # # Avalueof0causesSquidtoneverfetchmorethanthe # clientrequested.(default) # #Default: #range_offset_limit0KB #TAG:minimum_expiry_time (seconds) # Theminimumcachingtimeaccordingto(ExpiresDate) # HeadersSquidhonorsiftheobjectcan'tberevalidated # defaultsto60seconds.Inreverseproxyenorinmentsit # mightbedesirabletohonorshorterobjectlifetimes.It

# ismostlikelybettertomakeyourserverreturna # meaningfulLastModifiedheaderhowever. # #Default: #minimum_expiry_time60seconds #TAG:store_avg_object_size (kbytes) # Averageobjectsize,usedtoestimatenumberofobjectsyour # cachecanhold.Thedefaultis13KB. # #Default: #store_avg_object_size13KB #TAG:store_objects_per_bucket # Targetnumberofobjectsperbucketinthestorehashtable. # Loweringthisvalueincreasesthetotalnumberofbucketsand # alsothestoragemaintenancerate.Thedefaultis20. # #Default: #store_objects_per_bucket20 #HTTPOPTIONS # #TAG:request_header_max_size (KB) # ThisspecifiesthemaximumsizeforHTTPheadersinarequest. # Requestheadersareusuallyrelativelysmall(about512bytes). # Placingalimitontherequestheadersizewillcatchcertain # bugs(forexamplewithpersistentconnections)andpossibly # bufferoverflowordenialofserviceattacks. # #Default: #request_header_max_size20KB #TAG:reply_header_max_size (KB) # ThisspecifiesthemaximumsizeforHTTPheadersinareply. # Replyheadersareusuallyrelativelysmall(about512bytes). # Placingalimitonthereplyheadersizewillcatchcertain # bugs(forexamplewithpersistentconnections)andpossibly # bufferoverflowordenialofserviceattacks. # #Default: #reply_header_max_size20KB #TAG:request_body_max_size (KB) # ThisspecifiesthemaximumsizeforanHTTPrequestbody. # Inotherwords,themaximumsizeofaPUT/POSTrequest. # Auserwhoattemptstosendarequestwithabodylarger # thanthislimitreceivesan"InvalidRequest"errormessage.

# Ifyousetthisparametertoazero(thedefault),therewill # benolimitimposed. # #Default: #request_body_max_size0KB #TAG:broken_posts # AlistofACLelementswhich,ifmatched,causesSquidtosend # anextraCRLFpairafterthebodyofaPUT/POSTrequest. # # SomeHTTPservershasbrokenimplementationsofPUT/POST, # andrelyonanextraCRLFpairsentbysomeWWWclients. # # QuotefromRFC2616section4.1onthismatter: # # Note:certainbuggyHTTP/1.0clientimplementationsgeneratean # extraCRLF'safteraPOSTrequest.Torestatewhatisexplicitly # forbiddenbytheBNF,anHTTP/1.1clientmustnotprefaceorfollow # arequestwithanextraCRLF. # #Example: #aclbuggy_serverurl_regex^http://.... #broken_postsallowbuggy_server # #Default: #none #TAG:via on|off # Ifset(default),SquidwillincludeaViaheaderinrequestsand # repliesasrequiredbyRFC2616. # #Default: #viaon #TAG:cache_vary # SettoofftodisablecachingofVary:inobjects. # #Default: #cache_varyon #TAG:broken_vary_encoding # ManyservershavebrokensupportforontheflyContentEncoding, # returningthesameETagonbothplainandgzip:edvariants. # Varyrepliesmatchingthisaccesslistwillhavethecachesplit # ontheAcceptEncodingheaderoftherequestandnottrustingthe # ETagtobeunique. # #Apachemod_gzipandmod_deflateknowntobebrokensodon'ttrust #ApachetosignalETagcorrectlyonsuchresponses aclapacherep_headerServer^Apache

broken_vary_encodingallowapache #TAG:collapsed_forwarding (on|off) # ThisoptionenablesmultiplerequestsforthesameURItobe # processedasonerequest.Normallydisabledtoavoidincreased # latencyondynamiccontent,buttherecanbebenefitfromenabling # thisinacceleratorsetupswherethewebserversarethebottleneck # andreliableandreturnsmostlycacheableinformation. # #Default: #collapsed_forwardingoff #TAG:refresh_stale_hit (time) # Thisoptionchangestherefreshalgorithmtoallowconcurrent # requestswhileanobjectisbeingrefreshedtobeprocessedas # cachehitsiftheobjectexpiredlessthanXsecondsago.Default # is0todisablethisfeature.Thisoptionismostlyinteresting # inacceleratorsetupswhereafewobjectsisaccessedvery # frequently. # #Default: #refresh_stale_hit0seconds #TAG:ie_refresh on|off # MicrosoftInternetExplorerupuntilversion5.5Service # Pack1hasanissuewithtransparentproxies,whereinit # isimpossibletoforcearefresh.Turningthisonprovides # apartialfixtotheproblem,bycausingallIMSREFRESH # requestsfromolderIEversionstochecktheoriginserver # forfreshcontent.Thisreduceshitratiobysomeamount # (~10%inmyexperience),butallowsuserstoactuallyget # freshcontentwhentheywantit.NotebecauseSquid # cannottelliftheuserisusing5.5or5.5SP1,thebehavior # of5.5isunchangedfromoldversionsofSquid(i.e.a # forcedrefreshisimpossible).NewerversionsofIEwill, # hopefully,continuetohavethenewbehaviorandwillbe # handledbasedonthatassumption.Thisoptiondefaultsto # theoldSquidbehavior,whichisbetterforhitratiosbut # worseforclientsusingIE,iftheyneedtobeableto # forcefreshcontent. # #Default: #ie_refreshoff #TAG:vary_ignore_expire on|off # ManyHTTPserverssupportingVarygivessuchobjects # immediateexpirytimewithnocachecontrolheader # whenrequestedbyaHTTP/1.0client.Thisoption # enablesSquidtoignoresuchexpirytimesuntil # HTTP/1.1isfullyimplemented.

# WARNING:Thismayeventuallycausesomevarying # objectsnotintendedforcachingtogetcached. # #Default: #vary_ignore_expireoff #TAG:extension_methods # SquidonlyknowsaboutstandardizedHTTPrequestmethods. # Youcanaddupto20additional"extension"methodshere. extension_methodsREPORTMERGEMKACTIVITYCHECKOUT #TAG:request_entities # SquiddefaultstodenyGETandHEADrequestswithrequestentities, # asthemeaningofsuchrequestsareundefinedintheHTTPstandard # evenifnotexplicitlyforbidden. # # Setthisdirectivetoonifyouhaveclientswhichinsists # onsendingrequestentitiesinGETorHEADrequests.Butbewarned # thatthereisserversoftware(bothproxiesandwebservers)which # canfailtoproperlyprocessthiskindofrequestwhichmaymakeyou # vulnerabletocachepollutionattacksifenabled. # #Default: #request_entitiesoff #TAG:header_access # Usage:header_accessheader_nameallow|deny[!]aclname... # # WARNING:DoingthisVIOLATEStheHTTPstandard.Enabling # thisfeaturecouldmakeyouliableforproblemswhichit # causes. # # Thisoptionreplacestheold'anonymize_headers'andthe # older'http_anonymizer'optionwithsomethingthatismuch # moreconfigurable.ThisnewmethodcreatesalistofACLs # foreachheader,allowingyouveryfinetunedheader # mangling. # # Youcanonlyspecifyknownheadersfortheheadername. # Otherheadersarereclassifiedas'Other'.Youcanalso # refertoalltheheaderswith'All'. # # Forexample,toachievethesamebehaviorastheold # 'http_anonymizerstandard'option,youshoulduse: # # header_accessFromdenyall # header_accessRefererdenyall # header_accessServerdenyall # header_accessUserAgentdenyall # header_accessWWWAuthenticatedenyall

# header_accessLinkdenyall # # Or,toreproducetheold'http_anonymizerparanoid'feature # youshoulduse: # # header_accessAllowallowall # header_accessAuthorizationallowall # header_accessWWWAuthenticateallowall # header_accessProxyAuthorizationallowall # header_accessProxyAuthenticateallowall # header_accessCacheControlallowall # header_accessContentEncodingallowall # header_accessContentLengthallowall # header_accessContentTypeallowall # header_accessDateallowall # header_accessExpiresallowall # header_accessHostallowall # header_accessIfModifiedSinceallowall # header_accessLastModifiedallowall # header_accessLocationallowall # header_accessPragmaallowall # header_accessAcceptallowall # header_accessAcceptCharsetallowall # header_accessAcceptEncodingallowall # header_accessAcceptLanguageallowall # header_accessContentLanguageallowall # header_accessMimeVersionallowall # header_accessRetryAfterallowall # header_accessTitleallowall # header_accessConnectionallowall # header_accessProxyConnectionallowall # header_accessAlldenyall # # Bydefault,allheadersareallowed(noanonymizingis # performed). # #Default: #none #TAG:header_replace # Usage:header_replaceheader_namemessage # Example:header_replaceUserAgentNutscrape/1.0(CP/M;8bit) # # Thisoptionallowsyoutochangethecontentsofheaders # deniedwithheader_accessabove,byreplacingthemwith # somefixedstring.Thisreplacestheoldfake_user_agent # option. # # Bydefault,headersareremovedifdenied. #

#Default: #none #TAG:relaxed_header_parser on|off|warn # Inthedefault"on"settingSquidacceptscertainforms # ofnoncompliantHTTPmessageswhereitisunambiguous # whatthesendingapplicationintendedevenifthemessage # isnotcorrectlyformatted.Themessagesisthennormalized # tothecorrectformwhenforwardedbySquid. # # Ifsetto"warn"thenawarningwillbeemittedincache.log # eachtimesuchHTTPerrorisencountered. # # Ifsetto"off"thensuchHTTPerrorswillcausetherequest # orresponsetoberejected. # #Default: #relaxed_header_parseron #TIMEOUTS # #TAG:forward_timeout timeunits # ThisparameterspecifieshowlongSquidshouldatmostattemptin # findingaforwardingpathfortherequestbeforegivingup. # #Default: #forward_timeout4minutes #TAG:connect_timeout timeunits # ThisparameterspecifieshowlongtowaitfortheTCPconnectto # therequestedserverorpeertocompletebeforeSquidshould # attempttofindanotherpathwheretoforwardtherequest. # #Default: #connect_timeout1minute #TAG:peer_connect_timeout timeunits # ThisparameterspecifieshowlongtowaitforapendingTCP # connectiontoapeercache.Thedefaultis30seconds.You # mayalsosetdifferenttimeoutvaluesforindividualneighbors # withthe'connecttimeout'optionona'cache_peer'line. # #Default: #peer_connect_timeout30seconds #TAG:read_timeout timeunits # Theread_timeoutisappliedonserversideconnections.After # eachsuccessfulread(),thetimeoutwillbeextendedbythis

# amount.Ifnodataisreadagainafterthisamountoftime, # therequestisabortedandloggedwithERR_READ_TIMEOUT.The # defaultis15minutes. # #Default: #read_timeout15minutes #TAG:request_timeout # HowlongtowaitforanHTTPrequestafterinitial # connectionestablishment. # #Default: #request_timeout5minutes #TAG:persistent_request_timeout # HowlongtowaitforthenextHTTPrequestonapersistent # connectionafterthepreviousrequestcompletes. # #Default: #persistent_request_timeout2minutes #TAG:client_lifetime timeunits # Themaximumamountoftimeaclient(browser)isallowedto # remainconnectedtothecacheprocess.ThisprotectstheCache # fromhavingalotofsockets(andhencefiledescriptors)tiedup # inaCLOSE_WAITstatefromremoteclientsthatgoawaywithout # properlyshuttingdown(eitherbecauseofanetworkfailureor # becauseofapoorclientimplementation).Thedefaultisone # day,1440minutes. # # NOTE:Thedefaultvalueisintendedtobemuchlargerthanany # clientwouldeverneedtobeconnectedtoyourcache.You # shouldprobablychangeclient_lifetimeonlyasalastresort. # Ifyouseemtohavemanyclientconnectionstyingup # filedescriptors,werecommendfirsttuningtheread_timeout, # request_timeout,persistent_request_timeoutandquick_abortvalues. # #Default: #client_lifetime1day #TAG:half_closed_clients # SomeclientsmayshutdownthesendingsideoftheirTCP # connections,whileleavingtheirreceivingsidesopen. Sometimes, # Squidcannottellthedifferencebetweenahalfclosedanda # fullyclosedTCPconnection.Bydefault,halfclosedclient # connectionsarekeptopenuntilaread(2)orwrite(2)onthe # socketreturnsanerror.Changethisoptionto'off'andSquid # willimmediatelycloseclientconnectionswhenread(2)returns # "nomoredatatoread." #

#Default: #half_closed_clientson #TAG:pconn_timeout # Timeoutforidlepersistentconnectionstoserversandother # proxies. # #Default: #pconn_timeout1minute #TAG:ident_timeout # MaximumtimetowaitforIDENTlookupstocomplete. # # Ifthisistoohigh,andyouenabledIDENTlookupsfromuntrusted # users,youmightbesusceptibletodenialofservicebyhaving # manyidentrequestsgoingatonce. # #Default: #ident_timeout10seconds #TAG:shutdown_lifetime timeunits # WhenSIGTERMorSIGHUPisreceived,thecacheisputinto # "shutdownpending"modeuntilallactivesocketsareclosed. # Thisvalueisthelifetimetosetforallopendescriptors # duringshutdownmode.Anyactiveclientsafterthismany # secondswillreceivea'timeout'message. # #Default: #shutdown_lifetime30seconds #ADMINISTRATIVEPARAMETERS # #TAG:cache_mgr # Emailaddressoflocalcachemanagerwhowillreceive # mailifthecachedies.Thedefaultis"webmaster". # #Default: #cache_mgrwebmaster #TAG:mail_from # From:emailaddressformailsentwhenthecachedies. # Thedefaultistouse'appname@unique_hostname'. # Defaultappnamevalueis"squid",canbechangedinto # src/globals.hbeforebuildingsquid. # #Default: #none

#TAG:mail_program # Emailprogramusedtosendmailifthecachedies. # Thedefaultis"mail".Thespecifiedprogrammustcomply # withthestandardUnixmailsyntax: # mailprogramrecipient<mailfile # # Optionalcommandlineoptionscanbespecified. # #Default: #mail_programmail #TAG:cache_effective_user # IfyoustartSquidasroot,itwillchangeitseffective/real # UID/GIDtotheuserspecifiedbelow.Thedefaultistochange # toUIDtoproxy.Ifyoudefinecache_effective_user,butnot # cache_effective_group,SquidsetstheGIDtotheeffective # user'sdefaultgroupID(takenfromthepasswordfile)and # supplementarygrouplistfromthefromgroupsmembershipof # cache_effective_user. # #Default: #cache_effective_userproxy #TAG:cache_effective_group # IfyouwantSquidtorunwithaspecificGIDregardlessof # thegroupmembershipsoftheeffectiveuserthensetthis # tothegroup(orGID)youwantSquidtorunas.Whenset # allothergroupprivilegesoftheeffectiveuserisignored # andonlythisGIDiseffective.IfSquidisnotstartedas # roottheuserstartingSquidmustbememberofthespecified # group. # #Default: #none #TAG:httpd_suppress_version_string on|off # SuppressSquidversionstringinfoinHTTPheadersandHTMLerrorpages. # #Default: #httpd_suppress_version_stringoff #TAG:visible_hostname # Ifyouwanttopresentaspecialhostnameinerrormessages,etc, # definethis.Otherwise,thereturnvalueofgethostname() # willbeused.Ifyouhavemultiplecachesinaclusterand # geterrorsaboutIPforwardingyoumustsetthemtohaveindividual # nameswiththissetting. # #Default: #none

#TAG:unique_hostname # Ifyouwanttohavemultiplemachineswiththesame # 'visible_hostname'youmustgiveeachmachineadifferent # 'unique_hostname'soforwardingloopscanbedetected. # #Default: #none #TAG:hostname_aliases # AlistofotherDNSnamesyourcachehas. # #Default: #none #TAG:umask # Minimumumaskwhichshouldbeenforcedwhiletheproxy # isrunning,inadditiontotheumasksetatstartup. # # Note:Shouldstartwitha0toindicatethenormaloctal # representationofumasks # #Default: #umask027 #OPTIONSFORTHECACHEREGISTRATIONSERVICE # # # Thissectioncontainsparametersforthe(optional)cache # announcementservice.Thisserviceisprovidedtohelp # cacheadministratorslocateoneanotherinordertojoinor # createcachehierarchies. # # An'announcement'messageissent(viaUDP)totheregistration # servicebySquid.Bydefault,theannouncementmessageisNOT # SENTunlessyouenableitwith'announce_period'below. # # Theannouncementmessageincludesyourhostname,plusthe # followinginformationfromthisconfigurationfile: # # http_port # icp_port # cache_mgr # # Allcurrentinformationisprocessedregularlyandmade # availableontheWebathttp://www.ircache.net/Cache/Tracker/. #TAG:announce_period # Thisishowfrequentlytosendcacheannouncements.The

# defaultis`0'whichdisablessendingtheannouncement # messages. # # Toenableannouncingyourcache,justuncommenttheline # below. # #Default: #announce_period0 # #Toenableannouncingyourcache,justuncommentthelinebelow. #announce_period1day #TAG:announce_host #TAG:announce_file #TAG:announce_port # announce_hostandannounce_portsetthehostnameandport # numberwheretheregistrationmessagewillbesent. # # Hostnamewilldefaultto'tracker.ircache.net'andportwill # defaultdefaultto3131.Ifthe'filename'argumentisgiven, # thecontentsofthatfilewillbeincludedintheannounce # message. # #Default: #announce_hosttracker.ircache.net #announce_port3131 #HTTPDACCELERATOROPTIONS # #TAG:httpd_accel_no_pmtu_disc on|off # InmanysetupsoftransparentlyinterceptingproxiesPathMTU # discoverycannotworkontraffictowardstheclients.Thisis # thecasewhentheinterceptingdevicedoesnotfullytrack # connectionsandfailstoforwardICMPmustfragmentmessages # tothecacheserver. # # Ifyouhavesuchsetupandexperiencethatcertainclients # sporadicallyhangornevercompleterequestssetthistoon. # #Default: #httpd_accel_no_pmtu_discoff #DELAYPOOLPARAMETERS # #TAG:delay_pools # Thisrepresentsthenumberofdelaypoolstobeused.Forexample,

# ifyouhaveoneclass2delaypoolandoneclass3delayspool,you # haveatotalof2delaypools. # #Default: #delay_pools0 #TAG:delay_class # Thisdefinestheclassofeachdelaypool.Theremustbeexactlyone # delay_classlineforeachdelaypool.Forexample,todefinetwo # delaypools,oneofclass2andoneofclass3,thesettingsabove # andherewouldbe: # #Example: #delay_pools2#2delaypools #delay_class12#pool1isaclass2pool #delay_class23#pool2isaclass3pool # # Thedelaypoolclassesare: # # class1 Everythingislimitedbyasingleaggregate # bucket. # # class2Everythingislimitedbyasingleaggregate # bucketaswellasan"individual"bucketchosen # frombits25through32oftheIPaddress. # # class3 Everythingislimitedbyasingleaggregate # bucketaswellasa"network"bucketchosen # frombits17through24oftheIPaddressanda # "individual"bucketchosenfrombits17through # 32oftheIPaddress. # # NOTE:IfanIPaddressisa.b.c.d # >bits25through32are"d" # >bits17through24are"c" # >bits17through32are"c*256+d" # #Default: #none #TAG:delay_access # Thisisusedtodeterminewhichdelaypoolarequestfallsinto. # # delay_accessissortedperpoolandthematchingstartswithpool1, # thenpool2,...,andfinallypoolN.Thefirstdelaypoolwherethe # requestisallowedisselectedfortherequest.Ifitdoesnotallow # therequesttoanypoolthentherequestisnotdelayed(default). # # Forexample,ifyouwantsome_big_clientsindelay # pool1andlotsa_little_clientsindelaypool2:

# #Example: #delay_access1allowsome_big_clients #delay_access1denyall #delay_access2allowlotsa_little_clients #delay_access2denyall # #Default: #none #TAG:delay_parameters # Thisdefinestheparametersforadelaypool.Eachdelaypoolhas # anumberof"buckets"associatedwithit,asexplainedinthe # descriptionofdelay_class.Foraclass1delaypool,thesyntaxis: # #delay_parameterspoolaggregate # # Foraclass2delaypool: # #delay_parameterspoolaggregateindividual # # Foraclass3delaypool: # #delay_parameterspoolaggregatenetworkindividual # # Thevariableshereare: # # pool apoolnumberie,anumberbetween1andthe # numberspecifiedindelay_poolsasusedin # delay_classlines. # # aggregate the"delayparameters"fortheaggregatebucket # (class1,2,3). # # individual the"delayparameters"fortheindividual # buckets(class2,3). # # network the"delayparameters"forthenetworkbuckets # (class3). # # Apairofdelayparametersiswrittenrestore/maximum,whererestoreis # thenumberofbytes(notbitsmodemandnetworkspeedsareusually # quotedinbits)persecondplacedintothebucket,andmaximumisthe # maximumnumberofbyteswhichcanbeinthebucketatanytime. # # Forexample,ifdelaypoolnumber1isaclass2delaypoolasinthe # aboveexample,andisbeingusedtostrictlylimiteachhostto64kbps # (plusoverheads),withnooveralllimit,thelineis: # #delay_parameters11/18000/8000

# # Notethatthefigure1isusedtorepresent"unlimited". # # And,ifdelaypoolnumber2isaclass3delaypoolasintheabove # example,andyouwanttolimitittoatotalof256kbps(strictlimit) # witheach8bitnetworkpermitted64kbps(strictlimit)andeach # individualhostpermitted4800bpswithabucketmaximumsizeof64kb # topermitadecentwebpagetobedownloadedatadecentspeed # (ifthenetworkisnotbeinglimitedduetooveruse)butslowdown # largedownloadsmoresignificantly: # #delay_parameters232000/320008000/8000600/8000 # # Theremustbeonedelay_parameterslineforeachdelaypool. # #Default: #none #TAG:delay_initial_bucket_level (percent,0100) # Theinitialbucketpercentageisusedtodeterminehowmuchisput # ineachbucketwhensquidstarts,isreconfigured,orfirstnotices # ahostaccessingit(inclass2andclass3,individualhostsand # networksonlyhavebucketsassociatedwiththemoncetheyhavebeen # "seen"bysquid). # #Default: #delay_initial_bucket_level50 #WCCPv1ANDWCCPv2CONFIGURATIONOPTIONS # #TAG:wccp_router #TAG:wccp2_router # UsethisoptiontodefineyourWCCP``home''routerfor # Squid. # # wccp_routersupportsasingleWCCP(v1)router # # wccp2_routersupportsmultipleWCCPv2routers # # onlyoneofthetwomaybeusedatthesametimeanddefines # whichversionofWCCPtouse. # #Default: #wccp_router0.0.0.0 #TAG:wccp_version # ThisdirectiveisonlyrelevantifyouneedtosetupWCCP(v1) # tosomeveryoldandendoflifeCiscorouters.Inallother

# setupsitmustbeleftunsetoratthedefaultsetting. # ItdefinesaninternalversionintheWCCP(v1)protocol, # withversion4beingtheofficiallydocumentedprotocol. # # Accordingtosomeusers,CiscoIOS11.2andearlieronly # supportWCCPversion3.Ifyou'reusingthatoranearlier # versionofIOS,youmayneedtochangethisvalueto3,otherwise # donotspecifythisparameter. # #Default: #wccp_version4 #TAG:wccp2_rebuild_wait # IfthisisenabledSquidwillwaitforthecachedirrebuildtofinish # beforesendingthefirstwccp2HereIAmpacket # #Default: #wccp2_rebuild_waiton #TAG:wccp2_forwarding_method # WCCP2allowsthesettingofforwardingmethodsbetweenthe # router/switchandthecache.Validvaluesareasfollows: # # 1GREencapsulation(forwardthepacketinaGRE/WCCPtunnel) # 2L2redirect(forwardthepacketusingLayer2/MACrewriting) # # Currently(asofIOS12.4)ciscoroutersonlysupportGRE. # CiscoswitchesonlysupporttheL2redirectassignmentmethod. # #Default: #wccp2_forwarding_method1 #TAG:wccp2_return_method # WCCP2allowsthesettingofreturnmethodsbetweenthe # router/switchandthecacheforpacketsthatthecache # decidesnottohandle.Validvaluesareasfollows: # # 1GREencapsulation(forwardthepacketinaGRE/WCCPtunnel) # 2L2redirect(forwardthepacketusingLayer2/MACrewriting) # # Currently(asofIOS12.4)ciscoroutersonlysupportGRE. # CiscoswitchesonlysupporttheL2redirectassignment. # # Ifthe"ipwccpredirectexcludein"commandhasbeen # enabledonthecacheinterface,thenitisstillsafefor # theproxyservertouseal2redirectmethodevenifthis # optionissettoGRE. # #Default: #wccp2_return_method1

#TAG:wccp2_assignment_method # WCCP2allowsthesettingofmethodstoassigntheWCCPhash # Validvaluesareasfollows: # # 1Hashassignment # 2Maskassignment # # Asageneralrule,ciscorouterssupportthehashassignmentmethod # andciscoswitchessupportthemaskassignmentmethod. # #Default: #wccp2_assignment_method1 #TAG:wccp2_service # WCCP2allowsformultipletrafficservices.Therearetwo # types:"standard"and"dynamic".Thestandardtypedefines # oneserviceidhttp(id0).Thedynamicserviceidscanbefrom # 51to255inclusive.Inordertouseadynamicserviceid # onemustdefinethetypeoftraffictoberedirected;thisisdone # usingthewccp2_service_infooption. # # The"standard"typedoesnotrequireawccp2_service_infooption, # justspecifyingtheserviceidwillsuffice. # # MD5serviceauthenticationcanbeenabledbyadding # "password=<password>"totheendofthisservicedeclaration. # # Examples: # # wccp2_servicestandard0 #forthe'webcache'standardservice # wccp2_servicedynamic80 #adynamicservicetypewhichwillbe # #fleshedoutwithsubsequentoptions. # wccp2_servicestandard0password=foo # # #Default: #wccp2_servicestandard0 #TAG:wccp2_service_info # DynamicWCCPv2servicesrequirefurtherinformationtodefinethe # trafficyouwishtohavediverted. # # Theformatis: # # wccp2_service_info<id>protocol=<protocol>flags=<flag>,<flag>.. # priority=<priority>ports=<port>,<port>.. # # TherelevantWCCPv2flags: # +src_ip_hash,dst_ip_hash

# +source_port_hash,dest_port_hash # +src_ip_alt_hash,dst_ip_alt_hash # +src_port_alt_hash,dst_port_alt_hash # +ports_source # # Theportlistcanbeonetoeightentries. # # Example: # # wccp2_service_info80protocol=tcpflags=src_ip_hash,ports_source # priority=240ports=80 # # Note:theserviceidmusthavebeendefinedbyaprevious # 'wccp2_servicedynamic<id>'entry. # #Default: #none #TAG:wccp2_weight # Eachcacheservergetsassignedasetofthedestination # hashproportionaltotheirweight. # #Default: #wccp2_weight10000 #TAG:wccp_address #TAG:wccp2_address # UsethisoptionifyourequireWCCPtouseaspecific # interfaceaddress. # # Thedefaultbehavioristonotbindtoanyspecificaddress. # #Default: #wccp_address0.0.0.0 #wccp2_address0.0.0.0 #PERSISTENTCONNECTIONHANDLING # # #Alsosee"pconn_timeout"intheTIMEOUTSsection #TAG:client_persistent_connections #TAG:server_persistent_connections # Persistentconnectionsupportforclientsandservers.By # default,Squidusespersistentconnections(whenallowed) # withitsclientsandservers.Youcanusetheseoptionsto # disablepersistentconnectionswithclientsand/orservers. # #Default:

#client_persistent_connectionson #server_persistent_connectionson #TAG:persistent_connection_after_error # Withthisdirectivetheuseofpersistentconnectionsafter # HTTPerrorscanbedisabled.Usefulifyouhaveclients # whofailtohandleerrorsonpersistentconnectionsproper. # #Default: #persistent_connection_after_erroroff #TAG:detect_broken_pconn # Someservershavebeenfoundtoincorrectlysignaltheuse # ofHTTP/1.0persistentconnectionsevenonrepliesnot # compatible,causingsignificantdelays.Thisserverproblem # hasmostlybeenseenonredirects. # # ByenablingthisdirectiveSquidattemptstodetectsuch # brokenrepliesandautomaticallyassumethereplyisfinished # after10secondstimeout. # #Default: #detect_broken_pconnoff #CACHEDIGESTOPTIONS # #TAG:digest_generation # ThiscontrolswhethertheserverwillgenerateaCacheDigest # ofitscontents. # #Default: #digest_generationon #TAG:digest_bits_per_entry # Thisisthenumberofbitsoftheserver'sCacheDigestwhich # willbeassociatedwiththeDigestentryforagivenHTTP # MethodandURL(publickey)combination.Thedefaultis5. # #Default: #digest_bits_per_entry5 #TAG:digest_rebuild_period (seconds) # ThisisthewaittimebetweenCacheDigestrebuilds. # #Default: #digest_rebuild_period1hour #TAG:digest_rewrite_period (seconds)

# ThisisthewaittimebetweenCacheDigestwritestodisk. # #Default: #digest_rewrite_period1hour #TAG:digest_swapout_chunk_size (bytes) # ThisisthenumberofbytesoftheCacheDigesttowriteto # diskatatime.Itdefaultsto4096bytes(4KB),theSquid # defaultswappage. # #Default: #digest_swapout_chunk_size4096bytes #TAG:digest_rebuild_chunk_percentage (percent,0100) # ThisisthepercentageoftheCacheDigesttobescannedata # time.Bydefaultitissetto10%oftheCacheDigest. # #Default: #digest_rebuild_chunk_percentage10 #SNMPOPTIONS # #TAG:snmp_port # SquidcannowservestatisticsandstatusinformationviaSNMP. # Bydefaultitlistenstoport3401onthemachine.Ifyoudon't # wishtouseSNMP,setthisto"0". # # Note:onDebian/Linux,thedefaultiszeroyouneedto # setitto3401toenableit. # #Default: #snmp_port0 #TAG:snmp_access # AllowingordenyingaccesstotheSNMPport. # # Allaccesstotheagentisdeniedbydefault. # usage: # # snmp_accessallow|deny[!]aclname... # #Example: #snmp_accessallowsnmppubliclocalhost #snmp_accessdenyall # #Default: #snmp_accessdenyall

#TAG:snmp_incoming_address #TAG:snmp_outgoing_address # Justlike'udp_incoming_address'above,butfortheSNMPport. # # snmp_incoming_address isusedfortheSNMPsocketreceiving # messagesfromSNMPagents. # snmp_outgoing_address isusedforSNMPpacketsreturnedtoSNMP # agents. # # Thedefaultsnmp_incoming_address(0.0.0.0)istolistenonall # availablenetworkinterfaces. # # Ifsnmp_outgoing_addressissetto255.255.255.255(thedefault) # itwillusethesamesocketassnmp_incoming_address.Only # changethisifyouwanttohaveSNMPrepliessentusinganother # addressthanwherethisSquidlistensforSNMPqueries. # # NOTE,snmp_incoming_addressandsnmp_outgoing_addresscannothave # thesamevaluesincetheybothuseport3401. # #Default: #snmp_incoming_address0.0.0.0 #snmp_outgoing_address255.255.255.255 #ICPOPTIONS # #TAG:icp_port # TheportnumberwhereSquidsendsandreceivesICPqueriesto # andfromneighborcaches.Defaultis3130.Todisableuse # "0".Maybeoverriddenwithuonthecommandline. # #Default: #icp_port3130 #TAG:htcp_port # TheportnumberwhereSquidsendsandreceivesHTCPqueriesto # andfromneighborcaches.Toturnitonyouwanttosetit4827. # Bydefaultitissetto"0"(disabled). # #Default: #htcp_port0 #TAG:log_icp_queries on|off # Ifset,ICPqueriesareloggedtoaccess.log.Youmaywish # dodisablethisifyourICPloadisVERYhightospeedthings # uportosimplifyloganalysis. # #Default:

#log_icp_querieson #TAG:udp_incoming_address # udp_incoming_address isusedforUDPpacketsreceivedfromother # caches. # # Thedefaultbehavioristonotbindtoanyspecificaddress. # # OnlychangethisifyouwanttohaveallUDPqueriesreceivedon # aspecificinterface/address. # # NOTE:udp_incoming_addressisusedbytheICP,HTCP,andDNS # modules.Alteringitwillaffectalloftheminthesamemanner. # # seealso;udp_outgoing_address # # NOTE,udp_incoming_addressandudp_outgoing_addresscannot # havethesamevaluesincetheybothusethesameport. # #Default: #udp_incoming_address0.0.0.0 #TAG:udp_outgoing_address # udp_outgoing_address isusedforUDPpacketssentouttoother # caches. # # Thedefaultbehavioristonotbindtoanyspecificaddress. # # Insteaditwillusethesamesocketasudp_incoming_address. # OnlychangethisifyouwanttohaveUDPqueriessentusinganother # addressthanwherethisSquidlistensforUDPqueriesfromother # caches. # # NOTE:udp_outgoing_addressisusedbytheICP,HTCP,andDNS # modules.Alteringitwillaffectalloftheminthesamemanner. # # seealso;udp_incoming_address # # NOTE,udp_incoming_addressandudp_outgoing_addresscannot # havethesamevaluesincetheybothusethesameport. # #Default: #udp_outgoing_address255.255.255.255 #TAG:icp_hit_stale on|off # IfyouwanttoreturnICP_HITforstalecacheobjects,setthis # optionto'on'.Ifyouhavesiblingrelationshipswithcaches # inotheradministrativedomains,thisshouldbe'off'.Ifyouonly # havesiblingrelationshipswithcachesunderyourcontrol, # itisprobablyokaytosetthisto'on'.

# Ifsetto'on',yoursiblingsshouldusetheoption"allowmiss" # ontheircache_peerlinesforconnectingtoyou. # #Default: #icp_hit_staleoff #TAG:minimum_direct_hops # IfusingtheICMPpingingstuff,dodirectfetchesforsites # whicharenomorethanthismanyhopsaway. # #Default: #minimum_direct_hops4 #TAG:minimum_direct_rtt # IfusingtheICMPpingingstuff,dodirectfetchesforsites # whicharenomorethanthismanyrttmillisecondsaway. # #Default: #minimum_direct_rtt400 #TAG:netdb_low #TAG:netdb_high # ThelowandhighwatermarksfortheICMPmeasurement # database.Thesearecounts,notpercents.Thedefaultsare # 900and1000.Whenthehighwatermarkisreached,database # entrieswillbedeleteduntilthelowmarkisreached. # #Default: #netdb_low900 #netdb_high1000 #TAG:netdb_ping_period # Theminimumperiodformeasuringasite.Therewillbeat # leastthismuchdelaybetweensuccessivepingstothesame # network.Thedefaultisfiveminutes. # #Default: #netdb_ping_period5minutes #TAG:query_icmp on|off # IfyouwanttoaskyourpeerstoincludeICMPdataintheirICP # replies,enablethisoption. # # IfyourpeerhasconfiguredSquid(duringcompilation)with # 'enableicmp'thatpeerwillsendICMPpingstooriginserver # sitesoftheURLsitreceives.Ifyouenablethisoptionthe # ICPrepliesfromthatpeerwillincludetheICMPdata(ifavailable). # Then,whenchoosingaparentcache,Squidwillchoosetheparentwith # theminimalRTTtotheoriginserver.Whenthishappens,the # hierarchyfieldoftheaccess.logwillbe

# "CLOSEST_PARENT_MISS".Thisoptionisoffbydefault. # #Default: #query_icmpoff #TAG:test_reachability on|off # Whenthisis'on',ICPMISSreplieswillbeICP_MISS_NOFETCH # insteadofICP_MISSifthetargethostisNOTintheICMP # database,orhasazeroRTT. # #Default: #test_reachabilityoff #TAG:icp_query_timeout (msec) # NormallySquidwillautomaticallydetermineanoptimalICP # querytimeoutvaluebasedontheroundtriptimeofrecentICP # queries.Ifyouwanttooverridethevaluedeterminedby # Squid,setthis'icp_query_timeout'toanonzerovalue.This # valueisspecifiedinMILLISECONDS,so,tousea2second # timeout(theolddefault),youwouldwrite: # # icp_query_timeout2000 # #Default: #icp_query_timeout0 #TAG:maximum_icp_query_timeout (msec) # NormallytheICPquerytimeoutisdetermineddynamically.But # sometimesitcanleadtoverylargevalues(say5seconds). # Usethisoptiontoputanupperlimitonthedynamictimeout # value.DoNOTusethisoptiontoalwaysuseafixed(instead # ofadynamic)timeoutvalue.Tosetafixedtimeoutseethe # 'icp_query_timeout'directive. # #Default: #maximum_icp_query_timeout2000 #MULTICASTICPOPTIONS # #TAG:mcast_groups # Thistagspecifiesalistofmulticastgroupswhichyourserver # shouldjointoreceivemulticastedICPqueries. # # NOTE!Beverycarefulwhatyouputhere!Besureyou # understandthedifferencebetweenanICP_query_andanICP # _reply_.ThisoptionistobesetonlyifyouwanttoRECEIVE # multicastqueries.DoNOTsetthisoptiontoSENDmulticast # ICP(usecache_peerforthat).ICPrepliesarealwayssentvia

# unicast,sothisoptiondoesnotaffectwhetherornotyouwill # receiverepliesfrommulticastgroupmembers. # # YoumustbeverycarefultoNOTuseamulticastaddresswhich # isalreadyinusebyanothergroupofcaches. # # Ifyouareunsureaboutmulticast,pleasereadtheMulticast # chapterintheSquidFAQ(http://www.squidcache.org/FAQ/). # # Usage:mcast_groups239.128.16.128224.0.1.20 # # Bydefault,Squiddoesn'tlistenonanymulticastgroups. # #Default: #none #TAG:mcast_miss_addr #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablemulticastmissoption # # Ifyouenablethisoption,every"cachemiss"URLwill # besentoutonthespecifiedmulticastaddress. # # Donotenablethisoptionunlessyouareareabsolutely # certainyouunderstandwhatyouaredoing. # #Default: #mcast_miss_addr255.255.255.255 #TAG:mcast_miss_ttl #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablemulticastmissoption # # Thisisthetimetolivevalueforpacketsmulticasted # whenmulticastingoffcachemissURLsisenabled.By # defaultthisissetto'sitescope',i.e.16. # #Default: #mcast_miss_ttl16 #TAG:mcast_miss_port #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablemulticastmissoption # # Thisistheportnumbertobeusedinconjunctionwith # 'mcast_miss_addr'. # #Default: #mcast_miss_port3135

#TAG:mcast_miss_encode_key #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #enablemulticastmissoption # # TheURLsthataresentinthemulticastmissstreamare # encrypted.Thisistheencryptionkey. # #Default: #mcast_miss_encode_keyXXXXXXXXXXXXXXXX #TAG:mcast_icp_query_timeout (msec) # Formulticastpeers,SquidregularlysendsoutICP"probes"to # counthowmanyotherpeersarelisteningonthegivenmulticast # address.ThisvaluespecifieshowlongSquidshouldwaitto # countallthereplies.Thedefaultis2000msec,or2 # seconds. # #Default: #mcast_icp_query_timeout2000 #INTERNALICONOPTIONS # #TAG:icon_directory # Wheretheiconsarestored.Thesearenormallykeptin # /usr/share/squid/icons # #Default: #icon_directory/usr/share/squid/icons #TAG:global_internal_static # ThisdirectivecontrolsisSquidshouldinterceptallrequestsfor # /squidinternalstatic/nomatterwhichhosttheURLisrequesting # (defaultonsetting),orifnothingspecialshouldbedonefor # suchURLs(offsetting).Thepurposeofthisdirectiveistomake # iconsetcworkbetterincomplexcachehierarchieswhereitmay # notalwaysbepossibleforallcornersinthecachemeshtoreach # theservergeneratingadirectorylisting. # #Default: #global_internal_staticon #TAG:short_icon_urls # IfthisisenabledSquidwilluseshortURLsforicons. # # IfofftheURLsforiconswillalwaysbeabsoluteURLs # includingtheproxynameandport. # #Default:

#short_icon_urlsoff #ERRORPAGEOPTIONS # #TAG:error_directory # Ifyouwishtocreateyourownversionsofthedefault # (English)errorfiles,eithertocustomizethemtosuityour # languageorcompanycopythetemplateEnglishfilestoanother # directoryandpointthistagatthem. # # Thesquiddevelopersareinterestedinmakingsquidavailablein # awidevarietyoflanguages.Ifyouaremakingtranslationsfora # langaugethatSquiddoesnotcurrentlyprovidepleaseconsider # contributingyourtranslationbacktotheproject. # #Default: #error_directory/usr/share/squid/errors/English #TAG:error_map # Maperrorstocustommessages # # error_mapmessage_urlhttp_status... # # http_status...isalistofHTTPstatuscodesorSquiderror # messages. # # Useinacceleratorstosubstitutetheerrormessagesreturned # byserverswithothercustomerrors. # # error_maphttp://your.server/error/404.shtml404 # # RequestsforerrormessagesisaGETrequestfortheconfigured # URLwiththefollowingspecialheaders # # XErrorStatus: ThereceivedHTTPstatuscode(i.e.404) # XRequestURI: TherequestedURIwheretheerroroccurred # # InAdditionthefollowingheadersareforwardedfromtheclient # request: # # UserAgent,Cookie,XForwardedFor,Via,Authorization, # Accept,Referer # # Andthefollowingheadersfromtheserverreply: # # Server,Via,Location,ContentLocation # # ThereplyreturnedtotheclientwillcarrytheoriginalHTTP

# headersfromtherealerrormessage,butwiththereplybody # oftheconfigurederrormessage. # # #Default: #none #TAG:err_html_text # HTMLtexttoincludeinerrormessages.Makethisa"mailto" # URLtoyouradminaddress,ormaybejustalinktoyour # organizationsWebpage. # # Toincludethisinyourerrormessages,youmustrewrite # theerrortemplatefiles(foundinthe"errors"directory). # Whereveryouwantthe'err_html_text'linetoappear, # inserta%Ltagintheerrortemplatefile. # #Default: #none #TAG:deny_info # Usage:deny_infoerr_page_nameacl # ordeny_infohttp://...acl # Example:deny_infoERR_CUSTOM_ACCESS_DENIEDbad_guys # # ThiscanbeusedtoreturnaERR_pageforrequestswhich # donotpassthe'http_access'rules.Squidremembersthelast # aclitevaluatedinhttp_access,andifa'deny_info'lineexists # forthatACLSquidreturnsacorrespondingerrorpage. # # Theaclistypicallythelastaclonthehttp_accessdenylinewhich # deniedaccess.Theexceptionstothisruleare: # WhenSquidneedstorequestauthenticationcredentials.It'sthen # thefirstauthenticationrelatedaclencountered # Whennoneofthehttp_accesslinesmatches.It'sthenthelast # aclprocessedonthelasthttp_accessline. # # YoumayuseERR_pagesthatcomewithSquidorcreateyourownpages # andputthemintotheconfigurederrors/directory. # # AlternativelyyoucanspecifyanerrorURL.Thebrowserswill # getredirected(302)tothespecifiedURL.%sintheredirection # URLwillbereplacedbytherequestedURL. # # AlternativelyyoucantellSquidtoresettheTCPconnection # byspecifyingTCP_RESET. # #Default: #none

#OPTIONSINFLUENCINGREQUESTFORWARDING # #TAG:nonhierarchical_direct # Bydefault,Squidwillsendanynonhierarchicalrequests # (matchinghierarchy_stoplistornotcacheablerequesttype)direct # tooriginservers. # # Ifyousetthistooff,Squidwillprefertosendthese # requeststoparents. # # Notethatinmostconfigurations,byturningthisoffyouwillonly # addlatencytotheserequestwithoutanyimprovementinglobalhit # ratio. # # Ifyouareinsideanfirewallseenever_directinsteadof # thisdirective. # #Default: #nonhierarchical_directon #TAG:prefer_direct # NormallySquidtriestouseparentsformostrequests.Ifyouforsome # reasonlikeittofirsttrygoingdirectandonlyuseaparentif # goingdirectfailssetthistoon. # # Bycombiningnonhierarchical_directoffandprefer_directonyou # cansetupSquidtouseaparentasabackuppathifgoingdirect # fails. # # Note:IfyouwantSquidtouseparentsforallrequestssee # thenever_directdirective.prefer_directonlymodifieshowSquid # actsoncacheablerequests. # #Default: #prefer_directoff #TAG:always_direct # Usage:always_directallow|deny[!]aclname... # # HereyoucanuseACLelementstospecifyrequestswhichshould # ALWAYSbeforwardedbySquidtotheoriginserverswithoutusing # anypeers.Forexample,toalwaysdirectlyforwardrequestsfor # localserversignoringanyparentsorsiblingsyoumayhaveuse # somethinglike: # # acllocalserversdstdomainmy.domain.net # always_directallowlocalservers #

# ToalwaysforwardFTPrequestsdirectly,use # # aclFTPprotoFTP # always_directallowFTP # # NOTE:Thereisasimilar,butoppositeoptionnamed # 'never_direct'.Youneedtobeawarethat"always_directdeny # foo"isNOTthesamethingas"never_directallowfoo".You # mayneedtouseadenyruletoexcludeamorespecificcaseof # someotherrule.Example: # # acllocalexternaldstdomainexternal.foo.net # acllocalserversdstdomain.foo.net # always_directdenylocalexternal # always_directallowlocalservers # # NOTE:Ifyourgoalistomaketheclientforwardtherequest # directlytotheoriginserverbypassingSquidthenthisneeds # tobedoneintheclientconfiguration.Squidconfiguration # canonlytellSquidhowSquidshouldfetchtheobject. # # NOTE:Thisdirectiveisnotrelatedtocaching.Thereplies # iscachedasusualevenifyouusealways_direct.Tonotcache # therepliesseeno_cache. # # Thisoptionreplacessomev1.1optionssuchaslocal_domain # andlocal_ip. # #Default: #none #TAG:never_direct # Usage:never_directallow|deny[!]aclname... # # never_directistheoppositeofalways_direct.Pleaseread # thedescriptionforalways_directifyouhavenotalready. # # With'never_direct'youcanuseACLelementstospecify # requestswhichshouldNEVERbeforwardeddirectlytoorigin # servers.Forexample,toforcetheuseofaproxyforall # requests,exceptthoseinyourlocaldomainusesomethinglike: # # acllocalserversdstdomain.foo.net # aclallsrc0.0.0.0/0.0.0.0 # never_directdenylocalservers # never_directallowall # # orifSquidisinsideafirewallandtherearelocalintranet # serversinsidethefirewallusesomethinglike: #

# acllocalintranetdstdomain.foo.net # acllocalexternaldstdomainexternal.foo.net # always_directdenylocalexternal # always_directallowlocalintranet # never_directallowall # # Thisoptionreplacessomev1.1optionssuchasinside_firewall # andfirewall_ip. # #Default: #none #ADVANCEDNETWORKINGOPTIONS # #TAG:incoming_icp_average #TAG:incoming_http_average #TAG:incoming_dns_average #TAG:min_icp_poll_cnt #TAG:min_dns_poll_cnt #TAG:min_http_poll_cnt # Heavyvoodoohere.Ican'tevenbelieveyouarereadingthis. # Areyoucrazy?Don'teventhinkaboutadjustingtheseunless # youunderstandthealgorithmsincomm_select.cfirst! # #Default: #incoming_icp_average6 #incoming_http_average4 #incoming_dns_average4 #min_icp_poll_cnt8 #min_dns_poll_cnt8 #min_http_poll_cnt8 #TAG:tcp_recv_bufsize (bytes) # SizeofreceivebuffertosetforTCPsockets.Probablyjust # aseasytochangeyourkernel'sdefault.Settozerotouse # thedefaultbuffersize. # #Default: #tcp_recv_bufsize0bytes #DNSOPTIONS # #TAG:check_hostnames # ForsecurityandstabilityreasonsSquidbydefaultchecks # hostnamesforInternetstandardRFCcompliance.Ifyoudonotwant # Squidtoperformthesechecksthenturnthisdirectiveoff.

# #Default: #check_hostnameson #TAG:allow_underscore # UnderscorecharactersisnotstrictlyallowedinInternethostnames # butneverthelessusedbymanysites.Setthistooffifyouwant # Squidtobestrictaboutthestandard. # Thischeckisperformedonlywhencheck_hostnamesissettoon. # #Default: #allow_underscoreon #TAG:cache_dns_program #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #disableinternaldnsoption # # Specifythelocationoftheexecutablefordnslookupprocess. # #Default: #cache_dns_program/usr/lib/squid/dnsserver #TAG:dns_children #Note:ThisoptionisonlyavailableifSquidisrebuiltwiththe #disableinternaldnsoption # # ThenumberofprocessesspawntoserviceDNSnamelookups. # Forheavilyloadedcachesonlargeservers,youshould # probablyincreasethisvaluetoatleast10.Themaximum # is32.Thedefaultis5. # # Youmusthaveatleastonednsserverprocess. # #Default: #dns_children5 #TAG:dns_retransmit_interval # InitialretransmitintervalforDNSqueries.Theintervalis # doubledeachtimeallconfiguredDNSservershavebeentried. # # #Default: #dns_retransmit_interval5seconds #TAG:dns_timeout # DNSQuerytimeout.IfnoresponseisreceivedtoaDNSquery # withinthistimeallDNSserversforthequerieddomain # areassumedtobeunavailable. # #Default:

#dns_timeout2minutes #TAG:dns_defnames on|off # NormallytheRES_DEFNAMESresolveroptionisdisabled # (seeres_init(3)).Thispreventscachesinahierarchy # frominterpretingsinglecomponenthostnameslocally.Toallow # Squidtohandlesinglecomponentnames,enablethisoption. # #Default: #dns_defnamesoff #TAG:dns_nameservers # UsethisifyouwanttospecifyalistofDNSnameservers # (IPaddresses)touseinsteadofthosegiveninyour # /etc/resolv.conffile. # OnWindowsplatforms,ifnovalueisspecifiedhereorin # the/etc/resolv.conffile,thelistofDNSnameserversare # takenfromtheWindowsregistry,bothstaticanddynamicDHCP # configurationsaresupported. # # Example:dns_nameservers10.0.0.1192.172.0.4 # #Default: #none #TAG:hosts_file # LocationofthehostlocalIPnameaddressassociations # database.MostOperatingSystemshavesuchafileondifferent # defaultlocations: # Un*X&Linux:/etc/hosts # WindowsNT/2000:%SystemRoot%\system32\drivers\etc\hosts # (%SystemRoot%valueinstalldefaultisc:\winnt) # WindowsXP/2003:%SystemRoot%\system32\drivers\etc\hosts # (%SystemRoot%valueinstalldefaultisc:\windows) # Windows9x/Me:%windir%\hosts # (%windir%valueisusuallyc:\windows) # Cygwin:/etc/hosts # # Thefilecontainsnewlineseparateddefinitions,inthe # formip_address_in_dotted_formname[name...]namesare # whitespaceseparated.Linesbeginningwithanhash(#) # characterarecomments. # # Thefileischeckedatstartupanduponconfiguration. # Ifsetto'none',itwon'tbechecked. # Ifappend_domainisused,thatdomainwillbeaddedto # domainlocal(i.e.notcontaininganydotcharacter)host # definitions. # #Default:

#hosts_file/etc/hosts # hosts_file/etc/hosts #TAG:dns_testnames # TheDNStestsexitassoonasthefirstsiteissuccessfullylookedup # # ThistestcanbedisabledwiththeDcommandlineoption. # #Default: #dns_testnamesnetscape.cominternic.netnlanr.netmicrosoft.com #TAG:append_domain # Appendslocaldomainnametohostnameswithoutanydotsin # them.append_domainmustbeginwithaperiod. # # BewarnedtherearenowInternetnameswithnodotsin # themusingonlytopdomainnames,sosettingthismay # causesomeInternetsitestobecomeunavailable. # #Example: #append_domain.yourdomain.com # #Default: #none #TAG:ignore_unknown_nameservers # BydefaultSquidchecksthatDNSresponsesarereceived # fromthesameIPaddressestheyaresentto.Ifthey # don'tmatch,Squidignorestheresponseandwritesawarning # messagetocache.log.Youcanallowresponsesfromunknown # nameserversbysettingthisoptionto'off'. # #Default: #ignore_unknown_nameserverson #TAG:ipcache_size (numberofentries) #TAG:ipcache_low (percent) #TAG:ipcache_high(percent) # Thesize,low,andhighwatermarksfortheIPcache. # #Default: #ipcache_size1024 #ipcache_low90 #ipcache_high95 #TAG:fqdncache_size (numberofentries) # MaximumnumberofFQDNcacheentries. # #Default:

#fqdncache_size1024 #MISCELLANEOUS # #TAG:memory_pools on|off # Ifset,Squidwillkeeppoolsofallocated(butunused)memory # availableforfutureuse.Ifmemoryisapremiumonyour # systemandyoubelieveyourmalloclibraryoutperformsSquid # routines,disablethis. # #Default: #memory_poolson #TAG:memory_pools_limit (bytes) # Usedonlywithmemory_poolson: # memory_pools_limit50MB # # Ifsettoanonzerovalue,Squidwillkeepatmostthespecified # limitofallocated(butunused)memoryinmemorypools.Allfree() # requeststhatexceedthislimitwillbehandledbyyourmalloc # library.Squiddoesnotpreallocateanymemory,justsafekeeps # objectsthatotherwisewouldbefree()d.Thus,itissafetoset # memory_pools_limittoareasonablyhighvalueevenifyour # configurationwilluselessmemory. # # Ifsettozero,Squidwillkeepallmemoryitcan.Thatis,there # willbenolimitonthetotalamountofmemoryusedforsafekeeping. # # Todisablememoryallocationoptimization,donotset # memory_pools_limitto0.Setmemory_poolsto"off"instead. # # Anoverheadformaintainingmemorypoolsisnottakenintoaccount # whenthelimitischecked.Thisoverheadisclosetofourbytesper # objectkept.However,poolsmayactually_save_memorybecauseof # reducedmemorythrashinginyourmalloclibrary. # #Default: #memory_pools_limit5MB #TAG:forwarded_for on|off # Ifset,Squidwillincludeyoursystem'sIPaddressorname # intheHTTPrequestsitforwards.Bydefaultitlookslike # this: # # XForwardedFor:192.1.2.3 # # Ifyoudisablethis,itwillappearas #

# XForwardedFor:unknown # #Default: #forwarded_foron #TAG:cachemgr_passwd # Specifypasswordsforcachemgroperations. # # Usage:cachemgr_passwdpasswordactionaction... # # Somevalidactionsare(seecachemanagermenuforafulllist): # 5min # 60min # asndb # authenticator # cbdata # client_list # comm_incoming # config* # counters # delay # digest_stats # dns # events # filedescriptors # fqdncache # histograms # http_headers # info # io # ipcache # mem # menu # netdb # non_peers # objects # offline_toggle* # pconn # peer_select # redirector # refresh # server_list # shutdown* # store_digest # storedir # utilization # via_headers # vm_objects # # *Indicatesactionswhichwillnotbeperformedwithouta

# validpassword,otherscanbeperformedifnotlistedhere. # # Todisableanaction,setthepasswordto"disable". # Toallowperforminganactionwithoutapassword,setthe # passwordto"none". # # Usethekeyword"all"tosetthesamepasswordforallactions. # #Example: #cachemgr_passwdsecretshutdown #cachemgr_passwdlesssssssecretinfostats/objects #cachemgr_passwddisableall # #Default: #none #TAG:client_db on|off # Ifyouwanttodisablecollectingperclientstatistics, # turnoffclient_dbhere. # #Default: #client_dbon #TAG:reload_into_ims on|off # Whenyouenablethisoption,clientnocacheor``reload'' # requestswillbechangedtoIfModifiedSincerequests. # DoingthisVIOLATEStheHTTPstandard.Enablingthis # featurecouldmakeyouliableforproblemswhichit # causes. # # seealsorefresh_patternforamoreselectiveapproach. # #Default: #reload_into_imsoff #TAG:maximum_single_addr_tries # Thissetsthemaximumnumberofconnectionattemptsfora # hostthatonlyhasoneaddress(formultipleaddresshosts, # eachaddressistriedonce). # # Thedefaultvalueisoneattempt,the(notrecommended) # maximumis255tries.Awarningmessagewillbegenerated # ifitissettoavaluegreaterthanten. # # Note:Thisisinadditiontotherequestreforwardingwhich # takesplaceifSquidfailstogetasatisfyingresponse. # #Default: #maximum_single_addr_tries1

#TAG:retry_on_error # IfsettoonSquidwillautomaticallyretryrequestswhen # receivinganerrorresponse.Thisismainlyusefulifyou # areinacomplexcachehierarchytoworkaroundaccess # controlerrors. # #Default: #retry_on_erroroff #TAG:as_whois_server # WHOISservertoqueryforASnumbers.NOTE:ASnumbersare # queriedonlywhenSquidstartsup,notforeveryrequest. # #Default: #as_whois_serverwhois.ra.net #as_whois_serverwhois.ra.net #TAG:offline_mode # EnablethisoptionandSquidwillnevertrytovalidatecached # objects. # #Default: #offline_modeoff #TAG:uri_whitespace # Whattodowithrequeststhathavewhitespacecharactersinthe # URI.Options: # # strip:ThewhitespacecharactersarestrippedoutoftheURL. # ThisisthebehaviorrecommendedbyRFC2396. # deny:Therequestisdenied.Theuserreceivesan"Invalid # Request"message. # allow:TherequestisallowedandtheURIisnotchanged.The # whitespacecharactersremainintheURI.Notethe # whitespaceispassedtoredirectorprocessesifthey # areinuse. # encode: Therequestisallowedandthewhitespacecharactersare # encodedaccordingtoRFC1738.Thiscouldbeconsidered # aviolationoftheHTTP/1.1 # RFCbecauseproxiesarenotallowedtorewriteURI's. # chop: TherequestisallowedandtheURIischoppedatthe # firstwhitespace.Thismightalsobeconsidereda # violation. # #Default: #uri_whitespacestrip #TAG:coredump_dir # BydefaultSquidleavescorefilesinthedirectoryfromwhere # itwasstarted.Ifyouset'coredump_dir'toadirectory

# thatexists,Squidwillchdir()tothatdirectoryatstartup # andcoredumpfileswillbeleftthere. # #Default: #coredump_dirnone # #Leavecoredumpsinthefirstcachedir coredump_dir/var/spool/squid #TAG:chroot # UsethistohaveSquiddoachroot()whileinitializing.This # alsocausesSquidtofullydroprootprivilegesafter # initializing.Thismeans,forexample,ifyouuseaHTTP # portlessthan1024andtrytoreconfigure,youwillmaygetan # errorsayingthatSquidcannotopentheport. # #Default: #none #TAG:balance_on_multiple_ip # SomeloadbalancingserversbasedonroundrobinDNShavebeen # foundnottopreserveusersessionstateacrossrequests # todifferentIPaddresses. # # BydefaultSquidrotatesIP'sperrequest.Bydisabling # thisdirectiveonlyconnectionfailuretriggersrotation. # #Default: #balance_on_multiple_ipon #TAG:pipeline_prefetch # Toboosttheperformanceofpipelinedrequeststocloser # matchthatofanonproxiedenvironmentSquidcantrytofetch # uptotworequestsinparallelfromapipeline. # # Defaultstooffforbandwidthmanagementandaccesslogging # reasons. # #Default: #pipeline_prefetchoff #TAG:high_response_time_warning (msec) # Iftheoneminutemedianresponsetimeexceedsthisvalue, # SquidprintsaWARNINGwithdebuglevel0togetthe # administratorsattention.Thevalueisinmilliseconds. # #Default: #high_response_time_warning0 #TAG:high_page_fault_warning

# Iftheoneminuteaveragepagefaultrateexceedsthis # value,SquidprintsaWARNINGwithdebuglevel0toget # theadministratorsattention.Thevalueisinpagefaults # persecond. # #Default: #high_page_fault_warning0 #TAG:high_memory_warning # Ifthememoryusage(asdeterminedbymallinfo)exceeds # thisamount,SquidprintsaWARNINGwithdebuglevel0toget # theadministratorsattention. # #Default: #high_memory_warning0KB #TAG:sleep_after_fork (microseconds) # Whenthisissettoanonzerovalue,themainSquidprocess # sleepsthespecifiednumberofmicrosecondsafterafork() # systemcall.Thissleepmayhelpthesituationwhereyour # systemreportsfork()failuresduetolackof(virtual) # memory.Note,however,ifyouhavealotofchild # processes,thesesleepdelayswilladdupandyour # Squidwillnotservicerequestsforsomeamountoftime # untilallthechildprocesseshavebeenstarted. # OnWindowsvaluelessthen1000(1milliseconds)are # roundedto1000. # #Default: #sleep_after_fork0