aboutsummaryrefslogtreecommitdiff
path: root/network/squid/squid.conf
diff options
context:
space:
mode:
authorDavid Somero <dsomero@hotmail.com>2010-08-10 01:34:37 +0100
committerMichiel van Wessem <michiel@slackbuilds.org>2010-08-10 01:34:37 +0100
commitebd1d1551aae67862e9453784a3dff37f427d208 (patch)
tree84d1dab1a67dba1e0c432351e8e1af3c4d3f63ca /network/squid/squid.conf
parent177eba38941f90aa627d26206b70abb5ffb1740d (diff)
network/squid: Updated for version 3.1.6.
Signed-off-by: Michiel van Wessem <michiel@slackbuilds.org>
Diffstat (limited to 'network/squid/squid.conf')
-rw-r--r--network/squid/squid.conf2541
1 files changed, 1729 insertions, 812 deletions
diff --git a/network/squid/squid.conf b/network/squid/squid.conf
index 28b2fc0c75980..a7b65c8292a16 100644
--- a/network/squid/squid.conf
+++ b/network/squid/squid.conf
@@ -1,5 +1,4 @@
-
-# WELCOME TO SQUID 3.0.STABLE1
+# WELCOME TO SQUID 3.1.6
# ----------------------------
#
# This is the default Squid configuration file. You may wish
@@ -15,6 +14,18 @@
# case.
#
+# Configuration options can be included using the "include" directive.
+# Include takes a list of files to include. Quoting and wildcards is
+# supported.
+#
+# For example,
+#
+# include /path/to/included/file/squid.acl.config
+#
+# Includes can be nested up to a hard-coded depth of 16 levels.
+# This arbitrary restriction is to prevent recursive include references
+# from causing Squid entering an infinite loop whilst trying to load
+# configuration files.
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
@@ -54,6 +65,8 @@
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.
+# Ports flagged 'transparent', 'intercept', or 'tproxy' have
+# authentication disabled.
#
# === Parameters for the basic scheme follow. ===
#
@@ -62,7 +75,8 @@
# reads a line containing "username password" and replies "OK" or
# "ERR" in an endless loop. "ERR" responses may optionally be followed
# by a error description available as %m in the returned error page.
-# If you use an authenticator, make sure you have 1 acl of type proxy_auth.
+# If you use an authenticator, make sure you have 1 acl of type
+# proxy_auth.
#
# By default, the basic authentication scheme is not used unless a
# program is specified.
@@ -72,6 +86,12 @@
#
# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
#
+# "utf8" on|off
+# HTTP uses iso-latin-1 as characterset, while some authentication
+# backends such as LDAP expects UTF-8. If this is set to on Squid will
+# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
+# username & password to the helper.
+#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# Squid will have to wait for them to process a backlog of credential
@@ -132,7 +152,13 @@
# If you want to use a digest authenticator, set this line to
# something like
#
-# auth_param digest program /usr/bin/digest_auth_pw /usr/etc/digpass
+# auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass
+#
+# "utf8" on|off
+# HTTP uses iso-latin-1 as characterset, while some authentication
+# backends such as LDAP expects UTF-8. If this is set to on Squid will
+# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
+# username & password to the helper.
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
@@ -217,9 +243,9 @@
# the Microsoft Internet Explorer or Mozilla Firefox browsers.
# Its main purpose is to exchange credentials with the Squid proxy
# using the Kerberos mechanisms.
-# If you use a Negotiate authenticator, make sure you have at least one acl
-# of type proxy_auth active. By default, the negotiate authenticator_program
-# is not used.
+# If you use a Negotiate authenticator, make sure you have at least
+# one acl of type proxy_auth active. By default, the negotiate
+# authenticator_program is not used.
# The only supported program for this role is the ntlm_auth
# program distributed as part of Samba, version 4 or later.
#
@@ -243,30 +269,37 @@
#
# auth_param negotiate keep_alive on
#
-#Recommended minimum configuration per scheme:
-#auth_param negotiate program <uncomment and complete this line to activate>
-#auth_param negotiate children 5
-#auth_param negotiate keep_alive on
-#auth_param ntlm program <uncomment and complete this line to activate>
-#auth_param ntlm children 5
-#auth_param ntlm keep_alive on
-#auth_param digest program <uncomment and complete this line>
-#auth_param digest children 5
-#auth_param digest realm Squid proxy-caching web server
-#auth_param digest nonce_garbage_interval 5 minutes
-#auth_param digest nonce_max_duration 30 minutes
-#auth_param digest nonce_max_count 50
-#auth_param basic program <uncomment and complete this line>
-#auth_param basic children 5
-#auth_param basic realm Squid proxy-caching web server
-#auth_param basic credentialsttl 2 hours
+#
+# Examples:
+#
+##Recommended minimum configuration per scheme:
+##auth_param negotiate program <uncomment and complete this line to activate>
+##auth_param negotiate children 5
+##auth_param negotiate keep_alive on
+##
+##auth_param ntlm program <uncomment and complete this line to activate>
+##auth_param ntlm children 5
+##auth_param ntlm keep_alive on
+##
+##auth_param digest program <uncomment and complete this line>
+##auth_param digest children 5
+##auth_param digest realm Squid proxy-caching web server
+##auth_param digest nonce_garbage_interval 5 minutes
+##auth_param digest nonce_max_duration 30 minutes
+##auth_param digest nonce_max_count 50
+##
+##auth_param basic program <uncomment and complete this line>
+##auth_param basic children 5
+##auth_param basic realm Squid proxy-caching web server
+##auth_param basic credentialsttl 2 hours
+#Default:
+# none
# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
-#
#Default:
# authenticate_cache_garbage_interval 1 hour
@@ -275,7 +308,6 @@
# user cache since their last request. When the garbage
# interval passes, all user credentials that have passed their
# TTL are removed from memory.
-#
#Default:
# authenticate_ttl 1 hour
@@ -287,11 +319,9 @@
# quickly, as is the case with dialups. You might be safe
# using a larger value (e.g., 2 hours) in a corporate LAN
# environment with relatively static address assignments.
-#
#Default:
# authenticate_ip_ttl 0 seconds
-
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
@@ -317,6 +347,9 @@
# cached entry should be initiated without needing to
# wait for a new reply. (default 0 for no grace period)
# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+# ipv4 / ipv6 IP-mode used to communicate to this helper.
+# For compatability with older configurations and helpers
+# the default is currently 'ipv4'.
#
# FORMAT specifications
#
@@ -338,13 +371,23 @@
# %USER_CERTCHAIN SSL User certificate chain in PEM format
# %USER_CERT_xx SSL User certificate subject attribute xx
# %USER_CA_xx SSL User certificate issuer attribute xx
-# %{Header} HTTP request header
-# %{Hdr:member} HTTP request header list member
-# %{Hdr:;member}
+#
+# %>{Header} HTTP request header "Header"
+# %>{Hdr:member}
+# HTTP request header "Hdr" list member "member"
+# %>{Hdr:;member}
# HTTP request header list member using ; as
# list separator. ; can be any non-alphanumeric
# character.
#
+# %<{Header} HTTP reply header "Header"
+# %<{Hdr:member}
+# HTTP reply header "Hdr" list member "member"
+# %<{Hdr:;member}
+# HTTP reply header list member using ; as
+# list separator. ; can be any non-alphanumeric
+# character.
+#
# In addition to the above, any string specified in the referencing
# acl will also be included in the helper request line, after the
# specified formats (see the "acl external" directive)
@@ -379,75 +422,65 @@
# When using the concurrency= option the protocol is changed by
# introducing a query channel tag infront of the request/response.
# The query channel tag is a number between 0 and concurrency-1.
-#
#Default:
# none
# TAG: acl
# Defining an Access List
#
-# acl aclname acltype string1 ...
-# acl aclname acltype "file" ...
+# Every access list definition must begin with an aclname and acltype,
+# followed by either type-specific arguments or a quoted filename that
+# they are read from.
#
-# when using "file", the file should contain one item per line
+# acl aclname acltype argument ...
+# acl aclname acltype "file" ...
#
-# acltype is one of the types described below
+# When using "file", the file should contain one item per line.
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
-# acl aclname src ip-address/netmask ... (clients IP address)
-# acl aclname src addr1-addr2/netmask ... (range of addresses)
-# acl aclname dst ip-address/netmask ... (URL host's IP address)
-# acl aclname myip ip-address/netmask ... (local socket IP address)
+# Some acl types require suspending the current request in order
+# to access some external data source.
+# Those which do are marked with the tag [slow], those which
+# don't are marked as [fast].
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl
+# for further information
+#
+# ***** ACL TYPES AVAILABLE *****
+#
+# acl aclname src ip-address/netmask ... # clients IP address [fast]
+# acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
+# acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
+# acl aclname myip ip-address/netmask ... # local socket IP address [fast]
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
# # Furthermore, the ARP ACL code is not portable to all operating systems.
-# # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
+# # It works on Linux, Solaris, Windows, FreeBSD, and some
+# # other *BSD variants.
+# # [fast]
# #
# # NOTE: Squid can only determine the MAC address for clients that are on
-# # the same subnet. If the client is on a different subnet, then Squid cannot
-# # find out its MAC address.
-#
-# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
-# acl aclname dstdomain .foo.com ... # Destination server from URL
-# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
-# acl aclname dstdom_regex [-i] xxx ... # regex matching server
+# # the same subnet. If the client is on a different subnet,
+# # then Squid cannot find out its MAC address.
+#
+# acl aclname srcdomain .foo.com ...
+# # reverse lookup, from client IP [slow]
+# acl aclname dstdomain .foo.com ...
+# # Destination server from URL [fast]
+# acl aclname srcdom_regex [-i] \.foo\.com ...
+# # regex matching client name [slow]
+# acl aclname dstdom_regex [-i] \.foo\.com ...
+# # regex matching server [fast]
+# #
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
-# acl aclname http_status 200 301 500- 400-403 ... # status code in reply
-#
-# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
-# day-abbrevs:
-# S - Sunday
-# M - Monday
-# T - Tuesday
-# W - Wednesday
-# H - Thursday
-# F - Friday
-# A - Saturday
-# h1:m1 must be less than h2:m2
-# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
-# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
-# acl aclname port 80 70 21 ...
-# acl aclname port 0-1024 ... # ranges allowed
-# acl aclname myport 3128 ... # (local socket TCP port)
-# acl aclname proto HTTP FTP ...
-# acl aclname method GET POST ...
-# acl aclname browser [-i] regexp ...
-# # pattern match on User-Agent header (see also req_header below)
-# acl aclname referer_regex [-i] regexp ...
-# # pattern match on Referer header
-# # Referer is highly unreliable, so use with care
-# acl aclname ident username ...
-# acl aclname ident_regex [-i] pattern ...
-# # string match on ident output.
-# # use REQUIRED to accept any non-null ident.
-# acl aclname src_as number ...
-# acl aclname dst_as number ...
+# acl aclname src_as number ...
+# acl aclname dst_as number ...
+# # [fast]
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
@@ -456,11 +489,63 @@
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
+# acl aclname peername myPeer ...
+# # [fast]
+# # match against a named cache_peer entry
+# # set unique name= on cache_peer lines for reliable use.
+#
+# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+# # [fast]
+# # day-abbrevs:
+# # S - Sunday
+# # M - Monday
+# # T - Tuesday
+# # W - Wednesday
+# # H - Thursday
+# # F - Friday
+# # A - Saturday
+# # h1:m1 must be less than h2:m2
+#
+# acl aclname url_regex [-i] ^http:// ...
+# # regex matching on whole URL [fast]
+# acl aclname urlpath_regex [-i] \.gif$ ...
+# # regex matching on URL path [fast]
+#
+# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
+# # ranges are alloed
+# acl aclname myport 3128 ... # local socket TCP port [fast]
+# acl aclname myportname 3128 ... # http(s)_port name [fast]
+#
+# acl aclname proto HTTP FTP ... # request protocol [fast]
+#
+# acl aclname method GET POST ... # HTTP request method [fast]
+#
+# acl aclname http_status 200 301 500- 400-403 ...
+# # status code in reply [fast]
+#
+# acl aclname browser [-i] regexp ...
+# # pattern match on User-Agent header (see also req_header below) [fast]
+#
+# acl aclname referer_regex [-i] regexp ...
+# # pattern match on Referer header [fast]
+# # Referer is highly unreliable, so use with care
+#
+# acl aclname ident username ...
+# acl aclname ident_regex [-i] pattern ...
+# # string match on ident output [slow]
+# # use REQUIRED to accept any non-null ident.
+#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
-# # list of valid usernames
+# # perform http authentication challenge to the client and match against
+# # supplied credentials [slow]
+# #
+# # takes a list of allowed usernames.
# # use REQUIRED to accept any valid username.
# #
+# # Will use proxy authentication in forward-proxy scenarios, and plain
+# # http authenticaiton in reverse-proxy scenarios
+# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
@@ -469,24 +554,24 @@
# # to check username/password combinations (see
# # auth_param directive).
# #
-# # NOTE: proxy_auth can't be used in a transparent proxy as
-# # the browser needs to be configured for using a proxy in order
+# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+# # as the browser needs to be configured for using a proxy in order
# # to respond to proxy authentication.
#
# acl aclname snmp_community string ...
-# # A community string to limit access to your SNMP Agent
+# # A community string to limit access to your SNMP Agent [fast]
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
-# # more than <number> HTTP connections established.
+# # more than <number> HTTP connections established. [fast]
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
-# # parameter controls the timeout on the ip entries.
+# # parameter controls the timeout on the ip entries. [fast]
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
@@ -496,22 +581,22 @@
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
-# acl aclname req_mime_type mime-type1 ...
+# acl aclname req_mime_type [-i] mime-type ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
-# # types HTTP tunneling requests.
+# # types HTTP tunneling requests [fast]
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
-# # ACLs.
+# # ACL [fast]
#
-# acl aclname rep_mime_type mime-type1 ...
+# acl aclname rep_mime_type [-i] mime-type ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
-# # types HTTP tunneling requests.
+# # types HTTP tunneling requests. [fast]
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
@@ -519,47 +604,54 @@
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known reply headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
-# # ACLs.
+# # ACLs [fast]
#
-# acl acl_name external class_name [arguments...]
+# acl aclname external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
-# # external_acl_type directive.
+# # external_acl_type directive [slow]
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
-# # attribute is one of DN/C/O/CN/L/ST
+# # attribute is one of DN/C/O/CN/L/ST [fast]
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
-# # attribute is one of DN/C/O/CN/L/ST
+# # attribute is one of DN/C/O/CN/L/ST [fast]
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
-# # string match on username returned by external acl helper
+# # string match on username returned by external acl helper [slow]
# # use REQUIRED to accept any non-null user name.
#
-#Examples:
-#acl macaddress arp 09:00:2b:23:45:67
-#acl myexample dst_as 1241
-#acl password proxy_auth REQUIRED
-#acl fileupload req_mime_type -i ^multipart/form-data$
-#acl javascript rep_mime_type -i ^application/x-javascript$
+# acl aclname tag tagvalue ...
+# # string match on tag returned by external acl helper [slow]
+#
+# Examples:
+# acl macaddress arp 09:00:2b:23:45:67
+# acl myexample dst_as 1241
+# acl password proxy_auth REQUIRED
+# acl fileupload req_mime_type -i ^multipart/form-data$
+# acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
# acl all src all
#
-#Recommended minimum configuration:
-acl manager proto cache_object
-acl localhost src 127.0.0.1/32
-acl to_localhost dst 127.0.0.0/8
#
+# Recommended minimum configuration:
+#
+acl manager proto cache_object
+acl localhost src 127.0.0.1/32 ::1
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-#
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
@@ -573,6 +665,77 @@ acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
+# TAG: follow_x_forwarded_for
+# Allowing or Denying the X-Forwarded-For header to be followed to
+# find the original source of a request.
+#
+# Requests may pass through a chain of several other proxies
+# before reaching us. The X-Forwarded-For header will contain a
+# comma-separated list of the IP addresses in the chain, with the
+# rightmost address being the most recent.
+#
+# If a request reaches us from a source that is allowed by this
+# configuration item, then we consult the X-Forwarded-For header
+# to see where that host received the request from. If the
+# X-Forwarded-For header contains multiple addresses, we continue
+# backtracking until we reach an address for which we are not allowed
+# to follow the X-Forwarded-For header, or until we reach the first
+# address in the list. For the purpose of ACL used in the
+# follow_x_forwarded_for directive the src ACL type always matches
+# the address we are testing and srcdomain matches its rDNS.
+#
+# The end result of this process is an IP address that we will
+# refer to as the indirect client address. This address may
+# be treated as the client address for access control, ICAP, delay
+# pools and logging, depending on the acl_uses_indirect_client,
+# icap_uses_indirect_client, delay_pool_uses_indirect_client and
+# log_uses_indirect_client options.
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+# SECURITY CONSIDERATIONS:
+#
+# Any host for which we follow the X-Forwarded-For header
+# can place incorrect information in the header, and Squid
+# will use the incorrect information as if it were the
+# source address of the request. This may enable remote
+# hosts to bypass any access control restrictions that are
+# based on the client's source addresses.
+#
+# For example:
+#
+# acl localhost src 127.0.0.1
+# acl my_other_proxy srcdomain .proxy.example.com
+# follow_x_forwarded_for allow localhost
+# follow_x_forwarded_for allow my_other_proxy
+#Default:
+# follow_x_forwarded_for deny all
+
+# TAG: acl_uses_indirect_client on|off
+# Controls whether the indirect client address
+# (see follow_x_forwarded_for) is used instead of the
+# direct client address in acl matching.
+#Default:
+# acl_uses_indirect_client on
+
+# TAG: delay_pool_uses_indirect_client on|off
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-follow-x-forwarded-for and --enable-delay-pools option
+#
+# Controls whether the indirect client address
+# (see follow_x_forwarded_for) is used instead of the
+# direct client address in delay pools.
+#Default:
+# delay_pool_uses_indirect_client on
+
+# TAG: log_uses_indirect_client on|off
+# Controls whether the indirect client address
+# (see follow_x_forwarded_for) is used instead of the
+# direct client address in the access log.
+#Default:
+# log_uses_indirect_client on
+
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
@@ -588,37 +751,58 @@ acl CONNECT method CONNECT
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
-# good idea to have an "deny all" or "allow all" entry at the end
-# of your access lists to avoid potential confusion.
+# good idea to have an "deny all" entry at the end of your access
+# lists to avoid potential confusion.
+#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#Default:
# http_access deny all
#
-#Recommended minimum configuration:
+
+#
+# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
-# Deny requests to unknown ports
+
+# Deny requests to certain unsafe ports
http_access deny !Safe_ports
-# Deny CONNECT to other than SSL ports
+
+# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
-#
+
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
+
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
+http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
+# TAG: adapted_http_access
+# Allowing or Denying access based on defined access lists
+#
+# Essentially identical to http_access, but runs after redirectors
+# and ICAP/eCAP adaptation. Allowing access control based on their
+# output.
+#
+# If not set then only http_access is used.
+#Default:
+# none
+
# TAG: http_reply_access
# Allow replies to client requests. This is complementary to http_access.
#
@@ -631,6 +815,8 @@ http_access deny all
# last line will apply. Thus it is good practice to end the rules
# with an "allow all" or "deny all" entry.
#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
@@ -676,10 +862,12 @@ htcp_access deny all
#
# See http_access for details
#
-##Allow HTCP CLR requests from trusted peers
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src 172.16.1.2
#htcp_clr_access allow htcp_clr_peer
-#
#Default:
# htcp_clr_access deny all
@@ -697,7 +885,9 @@ htcp_access deny all
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
-#Default setting:
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
# miss_access allow all
# TAG: ident_lookup_access
@@ -711,14 +901,16 @@ htcp_access deny all
# To enable ident lookups for specific client addresses, you
# can follow this example:
#
-# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
+# acl ident_aware_hosts src 198.168.1.0/24
# ident_lookup_access allow ident_aware_hosts
# ident_lookup_access deny all
#
-# Only src type ACL checks are fully supported. A src_domain
+# Only src type ACL checks are fully supported. A srcdomain
# ACL might work at times, but it will not always provide
# the correct result.
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# ident_lookup_access deny all
@@ -751,10 +943,14 @@ htcp_access deny all
# If you set this parameter none (the default), there will be
# no limit imposed.
#
+# Configuration Format is:
+# reply_body_max_size SIZE UNITS [acl ...]
+# ie.
+# reply_body_max_size 10 MB
+#
#Default:
# none
-
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
@@ -783,15 +979,21 @@ htcp_access deny all
#
# Options:
#
-# transparent Support for transparent interception of
+# intercept Support for IP-Layer interception of
# outgoing requests without browser settings.
+# NP: disables authentication and IPv6 on the port.
#
# tproxy Support Linux TPROXY for spoofing outgoing
# connections using the client IP address.
+# NP: disables authentication and maybe IPv6 on the port.
#
# accel Accelerator mode. Also needs at least one of
# vhost / vport / defaultsite.
#
+# allow-direct Allow direct forwarding in accelerator mode. Normally
+# accelerated requests are denied direct forwarding as if
+# never_direct was used.
+#
# defaultsite=domainname
# What to use for the Host: header if it is not present
# in a request. Determines what site (not origin server)
@@ -810,6 +1012,16 @@ htcp_access deny all
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to http.
#
+# ignore-cc Ignore request Cache-Control headers.
+#
+# Warning: This option violates HTTP specifications if
+# used in non-accelerator setups.
+#
+# connection-auth[=on|off]
+# use connection-auth=off to tell Squid to prevent
+# forwarding Microsoft connection oriented authentication
+# (NTLM, Negotiate and Kerberos)
+#
# disable-pmtu-discovery=
# Control Path-MTU discovery usage:
# off lets OS decide on what to do (default).
@@ -826,11 +1038,38 @@ htcp_access deny all
# sporadically hang or never complete requests set
# disable-pmtu-discovery option to 'transparent'.
#
+# sslBump Intercept each CONNECT request matching ssl_bump ACL,
+# establish secure connection with the client and with
+# the server, decrypt HTTP messages as they pass through
+# Squid, and treat them as unencrypted HTTP messages,
+# becoming the man-in-the-middle.
+#
+# When this option is enabled, additional options become
+# available to specify SSL-related properties of the
+# client-side connection: cert, key, version, cipher,
+# options, clientca, cafile, capath, crlfile, dhparams,
+# sslflags, and sslcontext. See the https_port directive
+# for more information on these options.
+#
+# The ssl_bump option is required to fully enable
+# the SslBump feature.
+#
+# name= Specifies a internal name for the port. Defaults to
+# the port specification (port or addr:port)
+#
+# tcpkeepalive[=idle,interval,timeout]
+# Enable TCP keepalive probes of idle connections.
+# In seconds; idle is the initial time before TCP starts
+# probing the connection, interval how often to probe, and
+# timeout the time before giving up.
+#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
+#
+
# Squid normally listens to port 3128
http_port 3128
@@ -933,6 +1172,8 @@ http_port 3128
# vport=NN As above, but uses specified port number rather
# than the https_port number. Implies accel.
#
+# name= Specifies a internal name for the port. Defaults to
+# the port specification (port or addr:port)
#
#Default:
# none
@@ -945,7 +1186,7 @@ http_port 3128
# tcp_outgoing_tos ds-field [!]aclname ...
#
# Example where normal_service_net uses the TOS value 0x00
-# and normal_service_net uses 0x20
+# and good_service_net uses 0x20
#
# acl normal_service_net src 10.0.0.0/255.255.255.0
# acl good_service_net src 10.0.1.0/255.255.255.0
@@ -953,8 +1194,8 @@ http_port 3128
# tcp_outgoing_tos 0x20 good_service_net
#
# TOS/DSCP values really only have local significance - so you should
-# know what you're specifying. For more information, see RFC2474 and
-# RFC3260.
+# know what you're specifying. For more information, see RFC2474,
+# RFC2475, and RFC3260.
#
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
# "default" to use whatever default your host has. Note that in
@@ -968,7 +1209,6 @@ http_port 3128
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persisten_connections
# to off when using this directive in such configurations.
-#
#Default:
# none
@@ -976,6 +1216,50 @@ http_port 3128
# Allows you to select a TOS/Diffserv value to mark client-side
# connections with, based on the username or source address
# making the request.
+#Default:
+# none
+
+# TAG: qos_flows
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-zph-qos option
+#
+# Allows you to select a TOS/DSCP value to mark outgoing
+# connections with, based on where the reply was sourced.
+#
+# TOS values really only have local significance - so you should
+# know what you're specifying. For more information, see RFC2474,
+# RFC2475, and RFC3260.
+#
+# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
+# Note that in practice often only values up to 0x3F are usable
+# as the two highest bits have been redefined for use by ECN
+# (RFC3168).
+#
+# This setting is configured by setting the source TOS values:
+#
+# local-hit=0xFF Value to mark local cache hits.
+#
+# sibling-hit=0xFF Value to mark hits from sibling peers.
+#
+# parent-hit=0xFF Value to mark hits from parent peers.
+#
+#
+# NOTE: 'miss' preserve feature is only possible on Linux at this time.
+#
+# For the following to work correctly, you will need to patch your
+# linux kernel with the TOS preserving ZPH patch.
+# The kernel patch can be downloaded from http://zph.bratcheda.org
+#
+# disable-preserve-miss
+# By default, the existing TOS value of the response coming
+# from the remote server will be retained and masked with
+# miss-mark. This option disables that feature.
+#
+# miss-mask=0xFF
+# Allows you to mask certain bits in the TOS received from the
+# remote server, before copying the value to the TOS sent
+# towards clients.
+# Default: 0xFF (TOS from server is not changed).
#
#Default:
# none
@@ -992,11 +1276,11 @@ http_port 3128
# source address 10.1.0.2 and the rest will be forwarded with
# source address 10.1.0.3.
#
-# acl normal_service_net src 10.0.0.0/255.255.255.0
-# acl good_service_net src 10.0.1.0/255.255.255.0
-# tcp_outgoing_address 10.0.0.1 normal_service_net
-# tcp_outgoing_address 10.0.0.2 good_service_net
-# tcp_outgoing_address 10.0.0.3
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.2.0/24
+# tcp_outgoing_address 10.1.0.1 normal_service_net
+# tcp_outgoing_address 10.1.0.2 good_service_net
+# tcp_outgoing_address 10.1.0.3
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
@@ -1006,10 +1290,43 @@ http_port 3128
# ensure correct results it is best to set server_persistent_connections
# to off when using this directive in such configurations.
#
+#
+# IPv6 Magic:
+#
+# Squid is built with a capability of bridging the IPv4 and IPv6
+# internets.
+# tcp_outgoing_address as exampled above breaks this bridging by forcing
+# all outbound traffic through a certain IPv4 which may be on the wrong
+# side of the IPv4/IPv6 boundary.
+#
+# To operate with tcp_outgoing_address and keep the bridging benefits
+# an additional ACL needs to be used which ensures the IPv6-bound traffic
+# is never forced or permitted out the IPv4 interface.
+#
+# acl to_ipv6 dst ipv6
+# tcp_outgoing_address 2002::c001 good_service_net to_ipv6
+# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
+#
+# tcp_outgoing_address 2002::beef normal_service_net to_ipv6
+# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
+#
+# tcp_outgoing_address 2002::1 to_ipv6
+# tcp_outgoing_address 10.1.0.3 !to_ipv6
+#
+# WARNING:
+# 'dst ipv6' bases its selection assuming DIRECT access.
+# If peers are used the peername ACL are needed to select outgoing
+# address which can link to the peer.
+#
+# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
+# previously in the http_access rules to locate the destination IP.
+# Some more magic may be needed for that:
+# http_access allow to_ipv6 !all
+# (meaning, allow if to IPv6 but not from anywhere ;)
+#
#Default:
# none
-
# SSL OPTIONS
# -----------------------------------------------------------------------------
@@ -1019,7 +1336,6 @@ http_port 3128
#
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
-#
#Default:
# ssl_unclean_shutdown off
@@ -1029,7 +1345,6 @@ http_port 3128
#
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
-#
#Default:
# none
@@ -1038,7 +1353,6 @@ http_port 3128
# --enable-ssl option
#
# Client SSL Certificate to use when proxying https:// URLs
-#
#Default:
# none
@@ -1047,7 +1361,6 @@ http_port 3128
# --enable-ssl option
#
# Client SSL Key to use when proxying https:// URLs
-#
#Default:
# none
@@ -1056,7 +1369,6 @@ http_port 3128
# --enable-ssl option
#
# SSL version level to use when proxying https:// URLs
-#
#Default:
# sslproxy_version 1
@@ -1065,7 +1377,19 @@ http_port 3128
# --enable-ssl option
#
# SSL engine options to use when proxying https:// URLs
-#
+#
+# The most important being:
+#
+# NO_SSLv2 Disallow the use of SSLv2
+# NO_SSLv3 Disallow the use of SSLv3
+# NO_TLSv1 Disallow the use of TLSv1
+# SINGLE_DH_USE
+# Always create a new key when using
+# temporary/ephemeral DH key exchanges
+#
+# These options vary depending on your SSL engine.
+# See the OpenSSL SSL_CTX_set_options documentation for a
+# complete list of possible options.
#Default:
# none
@@ -1075,6 +1399,7 @@ http_port 3128
#
# SSL cipher list to use when proxying https:// URLs
#
+# Colon separated list of supported ciphers.
#Default:
# none
@@ -1084,7 +1409,6 @@ http_port 3128
#
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
-#
#Default:
# none
@@ -1094,7 +1418,35 @@ http_port 3128
#
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
+#Default:
+# none
+
+# TAG: ssl_bump
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl option
+#
+# This ACL controls which CONNECT requests to an http_port
+# marked with an sslBump flag are actually "bumped". Please
+# see the sslBump flag of an http_port option for more details
+# about decoding proxied SSL connections.
+#
+# By default, no requests are bumped.
+#
+# See also: http_port sslBump
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
#
+# # Example: Bump all requests except those originating from localhost and
+# # those going to webax.com or example.com sites.
+#
+# acl localhost src 127.0.0.1/32
+# acl broken_sites dstdomain .webax.com
+# acl broken_sites dstdomain .example.com
+# ssl_bump deny localhost
+# ssl_bump deny broken_sites
+# ssl_bump allow all
#Default:
# none
@@ -1103,11 +1455,39 @@ http_port 3128
# --enable-ssl option
#
# Various flags modifying the use of SSL while proxying https:// URLs:
-# DONT_VERIFY_PEER Accept certificates even if they fail to
-# verify.
+# DONT_VERIFY_PEER Accept certificates that fail verification.
+# For refined control, see sslproxy_cert_error.
# NO_DEFAULT_CA Don't use the default CA list built in
# to OpenSSL.
+#Default:
+# none
+
+# TAG: sslproxy_cert_error
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl option
+#
+# Use this ACL to bypass server certificate validation errors.
+#
+# For example, the following lines will bypass all validation errors
+# when talking to servers located at 172.16.0.0/16. All other
+# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+#
+# acl BrokenServersAtTrustedIP dst 172.16.0.0/16
+# sslproxy_cert_error allow BrokenServersAtTrustedIP
+# sslproxy_cert_error deny all
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+# Using slow acl types may result in server crashes
#
+# Without this option, all server certificate validation errors
+# terminate the transaction. Bypassing validation errors is dangerous
+# because an error usually implies that the server cannot be trusted and
+# the connection may be insecure.
+#
+# See also: sslproxy_flags and DONT_VERIFY_PEER.
+#
+# Default setting: sslproxy_cert_error deny all
#Default:
# none
@@ -1119,254 +1499,265 @@ http_port 3128
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
-#
#Default:
# none
-
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
-#
+#
# cache_peer hostname type http-port icp-port [options]
-#
+#
# For example,
-#
+#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
-# cache_peer parent.foo.net parent 3128 3130 proxy-only default
+# cache_peer parent.foo.net parent 3128 3130 default
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
-#
-# type: either 'parent', 'sibling', or 'multicast'.
-#
-# proxy-port: The port number where the cache listens for proxy
-# requests.
-#
-# icp-port: Used for querying neighbor caches about
-# objects. To have a non-ICP neighbor
-# specify '7' for the ICP port and make sure the
-# neighbor machine has the UDP echo port
-# enabled in its /etc/inetd.conf file.
-# NOTE: Also requires icp_port option enabled to send/receive
-# requests via this method.
-#
-# options: proxy-only
-# weight=n
-# basetime=n
-# ttl=n
-# no-query
-# background-ping
-# default
-# round-robin
-# weighted-round-robin
-# carp
-# multicast-responder
-# closest-only
-# no-digest
-# no-netdb-exchange
-# no-delay
-# login=user:password | PASS | *:password
-# connect-timeout=nn
-# digest-url=url
-# allow-miss
-# max-conn=n
-# htcp
-# htcp-oldsquid
-# originserver
-# name=xxx
-# forceddomain=name
-# ssl
-# sslcert=/path/to/ssl/certificate
-# sslkey=/path/to/ssl/key
-# sslversion=1|2|3|4
-# sslcipher=...
-# ssloptions=...
-# front-end-https[=on|auto]
-#
-# use 'proxy-only' to specify objects fetched
-# from this cache should not be saved locally.
-#
-# use 'weight=n' to affect the selection of a peer
-# during any weighted peer-selection mechanisms.
-# The weight must be an integer; default is 1,
-# larger weights are favored more.
-# This option does not affect parent selection if a peering
-# protocol is not in use.
-#
-# use 'basetime=n' to specify a base amount to
-# be subtracted from round trip times of parents.
-# It is subtracted before division by weight in calculating
-# which parent to fectch from. If the rtt is less than the
-# base time the rtt is set to a minimal value.
-#
-# use 'ttl=n' to specify a IP multicast TTL to use
-# when sending an ICP queries to this address.
-# Only useful when sending to a multicast group.
-# Because we don't accept ICP replies from random
-# hosts, you must configure other group members as
-# peers with the 'multicast-responder' option below.
-#
-# use 'no-query' to NOT send ICP queries to this
-# neighbor.
-#
-# use 'background-ping' to only send ICP queries to this
-# neighbor infrequently. This is used to keep the neighbor
-# round trip time updated and is usually used in
-# conjunction with weighted-round-robin.
-#
-# use 'default' if this is a parent cache which can
-# be used as a "last-resort" if a peer cannot be located
-# by any of the peer-selection mechanisms.
-# If specified more than once, only the first is used.
-#
-# use 'round-robin' to define a set of parents which
-# should be used in a round-robin fashion in the
-# absence of any ICP queries.
-#
-# use 'weighted-round-robin' to define a set of parents
-# which should be used in a round-robin fashion with the
-# frequency of each parent being based on the round trip
-# time. Closer parents are used more often.
-# Usually used for background-ping parents.
-#
-# use 'carp' to define a set of parents which should
-# be used as a CARP array. The requests will be
-# distributed among the parents based on the CARP load
-# balancing hash function based on their weight.
-#
-# 'multicast-responder' indicates the named peer
-# is a member of a multicast group. ICP queries will
-# not be sent directly to the peer, but ICP replies
-# will be accepted from it.
-#
-# 'closest-only' indicates that, for ICP_OP_MISS
-# replies, we'll only forward CLOSEST_PARENT_MISSes
-# and never FIRST_PARENT_MISSes.
-#
-# use 'no-digest' to NOT request cache digests from
-# this neighbor.
-#
-# 'no-netdb-exchange' disables requesting ICMP
-# RTT database (NetDB) from the neighbor.
-#
-# use 'no-delay' to prevent access to this neighbor
-# from influencing the delay pools.
-#
-# use 'login=user:password' if this is a personal/workgroup
-# proxy and your parent requires proxy authentication.
-# Note: The string can include URL escapes (i.e. %20 for
-# spaces). This also means % must be written as %%.
-#
-# use 'login=PASS' if users must authenticate against
-# the upstream proxy or in the case of a reverse proxy
-# configuration, the origin web server. This will pass
-# the users credentials as they are to the peer.
-# This only works for the Basic HTTP authentication scheme.
-# Note: To combine this with proxy_auth both proxies must
-# share the same user database as HTTP only allows for
-# a single login (one for proxy, one for origin server).
-# Also be warned this will expose your users proxy
-# password to the peer. USE WITH CAUTION
-#
-# use 'login=*:password' to pass the username to the
-# upstream cache, but with a fixed password. This is meant
-# to be used when the peer is in another administrative
-# domain, but it is still needed to identify each user.
-# The star can optionally be followed by some extra
-# information which is added to the username. This can
-# be used to identify this proxy to the peer, similar to
-# the login=username:password option above.
-#
-# use 'connect-timeout=nn' to specify a peer
-# specific connect timeout (also see the
-# peer_connect_timeout directive)
-#
-# use 'digest-url=url' to tell Squid to fetch the cache
-# digest (if digests are enabled) for this host from
-# the specified URL rather than the Squid default
-# location.
-#
-# use 'allow-miss' to disable Squid's use of only-if-cached
-# when forwarding requests to siblings. This is primarily
-# useful when icp_hit_stale is used by the sibling. To
-# extensive use of this option may result in forwarding
-# loops, and you should avoid having two-way peerings
-# with this option. (for example to deny peer usage on
-# requests from peer by denying cache_peer_access if the
-# source is a peer)
-#
-# use 'max-conn=n' to limit the amount of connections Squid
-# may open to this peer.
-#
-# use 'htcp' to send HTCP, instead of ICP, queries
-# to the neighbor. You probably also want to
-# set the "icp port" to 4827 instead of 3130.
-# You MUST also set htcp_access expicitly. The default of
-# deny all will prevent peer traffic.
-#
-# use 'htcp-oldsquid' to send HTCP to old Squid versions
-# You MUST also set htcp_access expicitly. The default of
-# deny all will prevent peer traffic.
-#
-# 'originserver' causes this parent peer to be contacted as
-# a origin server. Meant to be used in accelerator setups.
-#
-# use 'name=xxx' if you have multiple peers on the same
-# host but different ports. This name can be used to
-# differentiate the peers in cache_peer_access and similar
-# directives.
-#
-# use 'forceddomain=name' to forcibly set the Host header
-# of requests forwarded to this peer. Useful in accelerator
-# setups where the server (peer) expects a certain domain
-# name and using redirectors to feed this domain name
-# is not feasible.
-#
-# use 'ssl' to indicate connections to this peer should
-# be SSL/TLS encrypted.
-#
-# use 'sslcert=/path/to/ssl/certificate' to specify a client
-# SSL certificate to use when connecting to this peer.
-#
-# use 'sslkey=/path/to/ssl/key' to specify the private SSL
-# key corresponding to sslcert above. If 'sslkey' is not
-# specified 'sslcert' is assumed to reference a
-# combined file containing both the certificate and the key.
-#
-# use sslversion=1|2|3|4 to specify the SSL version to use
-# when connecting to this peer
-# 1 = automatic (default)
-# 2 = SSL v2 only
-# 3 = SSL v3 only
-# 4 = TLS v1 only
-#
-# use sslcipher=... to specify the list of valid SSL ciphers
-# to use when connecting to this peer.
-#
-# use ssloptions=... to specify various SSL engine options:
-# NO_SSLv2 Disallow the use of SSLv2
-# NO_SSLv3 Disallow the use of SSLv3
-# NO_TLSv1 Disallow the use of TLSv1
-# See src/ssl_support.c or the OpenSSL documentation for
-# a more complete list.
-#
-# use sslcafile=... to specify a file containing
-# additional CA certificates to use when verifying the
-# peer certificate.
-#
-# use sslcapath=... to specify a directory containing
-# additional CA certificates to use when verifying the
-# peer certificate.
-#
-# use sslcrlfile=... to specify a certificate revocation
-# list file to use when verifying the peer certificate.
-#
-# use sslflags=... to specify various flags modifying the
-# SSL implementation:
+# cache_peer example.com parent 80 0 no-query default
+# cache_peer cdn.example.com sibling 3128 0
+#
+# type: either 'parent', 'sibling', or 'multicast'.
+#
+# proxy-port: The port number where the peer accept HTTP requests.
+# For other Squid proxies this is usually 3128
+# For web servers this is usually 80
+#
+# icp-port: Used for querying neighbor caches about objects.
+# Set to 0 if the peer does not support ICP or HTCP.
+# See ICP and HTCP options below for additional details.
+#
+#
+# ==== ICP OPTIONS ====
+#
+# You MUST also set icp_port and icp_access explicitly when using these options.
+# The defaults will prevent peer traffic using ICP.
+#
+#
+# no-query Disable ICP queries to this neighbor.
+#
+# multicast-responder
+# Indicates the named peer is a member of a multicast group.
+# ICP queries will not be sent directly to the peer, but ICP
+# replies will be accepted from it.
+#
+# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
+# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+#
+# background-ping
+# To only send ICP queries to this neighbor infrequently.
+# This is used to keep the neighbor round trip time updated
+# and is usually used in conjunction with weighted-round-robin.
+#
+#
+# ==== HTCP OPTIONS ====
+#
+# You MUST also set htcp_port and htcp_access explicitly when using these options.
+# The defaults will prevent peer traffic using HTCP.
+#
+#
+# htcp Send HTCP, instead of ICP, queries to the neighbor.
+# You probably also want to set the "icp-port" to 4827
+# instead of 3130.
+#
+# htcp-oldsquid Send HTCP to old Squid versions.
+#
+# htcp-no-clr Send HTCP to the neighbor but without
+# sending any CLR requests. This cannot be used with
+# htcp-only-clr.
+#
+# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
+# This cannot be used with htcp-no-clr.
+#
+# htcp-no-purge-clr
+# Send HTCP to the neighbor including CLRs but only when
+# they do not result from PURGE requests.
+#
+# htcp-forward-clr
+# Forward any HTCP CLR requests this proxy receives to the peer.
+#
+#
+# ==== PEER SELECTION METHODS ====
+#
+# The default peer selection method is ICP, with the first responding peer
+# being used as source. These options can be used for better load balancing.
+#
+#
+# default This is a parent cache which can be used as a "last-resort"
+# if a peer cannot be located by any of the peer-selection methods.
+# If specified more than once, only the first is used.
+#
+# round-robin Load-Balance parents which should be used in a round-robin
+# fashion in the absence of any ICP queries.
+# weight=N can be used to add bias.
+#
+# weighted-round-robin
+# Load-Balance parents which should be used in a round-robin
+# fashion with the frequency of each parent being based on the
+# round trip time. Closer parents are used more often.
+# Usually used for background-ping parents.
+# weight=N can be used to add bias.
+#
+# carp Load-Balance parents which should be used as a CARP array.
+# The requests will be distributed among the parents based on the
+# CARP load balancing hash function based on their weight.
+#
+# userhash Load-balance parents based on the client proxy_auth or ident username.
+#
+# sourcehash Load-balance parents based on the client source IP.
+#
+# multicast-siblings
+# To be used only for cache peers of type "multicast".
+# ALL members of this multicast group have "sibling"
+# relationship with it, not "parent". This is to a mulicast
+# group when the requested object would be fetched only from
+# a "parent" cache, anyway. It's useful, e.g., when
+# configuring a pool of redundant Squid proxies, being
+# members of the same multicast group.
+#
+#
+# ==== PEER SELECTION OPTIONS ====
+#
+# weight=N use to affect the selection of a peer during any weighted
+# peer-selection mechanisms.
+# The weight must be an integer; default is 1,
+# larger weights are favored more.
+# This option does not affect parent selection if a peering
+# protocol is not in use.
+#
+# basetime=N Specify a base amount to be subtracted from round trip
+# times of parents.
+# It is subtracted before division by weight in calculating
+# which parent to fectch from. If the rtt is less than the
+# base time the rtt is set to a minimal value.
+#
+# ttl=N Specify a IP multicast TTL to use when sending an ICP
+# queries to this address.
+# Only useful when sending to a multicast group.
+# Because we don't accept ICP replies from random
+# hosts, you must configure other group members as
+# peers with the 'multicast-responder' option.
+#
+# no-delay To prevent access to this neighbor from influencing the
+# delay pools.
+#
+# digest-url=URL Tell Squid to fetch the cache digest (if digests are
+# enabled) for this host from the specified URL rather
+# than the Squid default location.
+#
+#
+# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
+#
+# originserver Causes this parent to be contacted as an origin server.
+# Meant to be used in accelerator setups when the peer
+# is a web server.
+#
+# forceddomain=name
+# Set the Host header of requests forwarded to this peer.
+# Useful in accelerator setups where the server (peer)
+# expects a certain domain name but clients may request
+# others. ie example.com or www.example.com
+#
+# no-digest Disable request of cache digests.
+#
+# no-netdb-exchange
+# Disables requesting ICMP RTT database (NetDB).
+#
+#
+# ==== AUTHENTICATION OPTIONS ====
+#
+# login=user:password
+# If this is a personal/workgroup proxy and your parent
+# requires proxy authentication.
+#
+# Note: The string can include URL escapes (i.e. %20 for
+# spaces). This also means % must be written as %%.
+#
+# login=PROXYPASS
+# Send login details received from client to this peer.
+# Authentication is not required, nor changed.
+#
+# Note: This will pass any form of authentication but
+# only Basic auth will work through a proxy unless the
+# connection-auth options are also used.
+#
+# login=PASS Send login details received from client to this peer.
+# Authentication is not required by this option.
+# If there are no client-provided authentication headers
+# to pass on, but username and password are available
+# from either proxy login or an external ACL user= and
+# password= result tags they may be sent instead.
+#
+# Note: To combine this with proxy_auth both proxies must
+# share the same user database as HTTP only allows for
+# a single login (one for proxy, one for origin server).
+# Also be warned this will expose your users proxy
+# password to the peer. USE WITH CAUTION
+#
+# login=*:password
+# Send the username to the upstream cache, but with a
+# fixed password. This is meant to be used when the peer
+# is in another administrative domain, but it is still
+# needed to identify each user.
+# The star can optionally be followed by some extra
+# information which is added to the username. This can
+# be used to identify this proxy to the peer, similar to
+# the login=username:password option above.
+#
+# connection-auth=on|off
+# Tell Squid that this peer does or not support Microsoft
+# connection oriented authentication, and any such
+# challenges received from there should be ignored.
+# Default is auto to automatically determine the status
+# of the peer.
+#
+#
+# ==== SSL / HTTPS / TLS OPTIONS ====
+#
+# ssl Encrypt connections to this peer with SSL/TLS.
+#
+# sslcert=/path/to/ssl/certificate
+# A client SSL certificate to use when connecting to
+# this peer.
+#
+# sslkey=/path/to/ssl/key
+# The private SSL key corresponding to sslcert above.
+# If 'sslkey' is not specified 'sslcert' is assumed to
+# reference a combined file containing both the
+# certificate and the key.
+#
+# sslversion=1|2|3|4
+# The SSL version to use when connecting to this peer
+# 1 = automatic (default)
+# 2 = SSL v2 only
+# 3 = SSL v3 only
+# 4 = TLS v1 only
+#
+# sslcipher=... The list of valid SSL ciphers to use when connecting
+# to this peer.
+#
+# ssloptions=... Specify various SSL engine options:
+# NO_SSLv2 Disallow the use of SSLv2
+# NO_SSLv3 Disallow the use of SSLv3
+# NO_TLSv1 Disallow the use of TLSv1
+# See src/ssl_support.c or the OpenSSL documentation for
+# a more complete list.
+#
+# sslcafile=... A file containing additional CA certificates to use
+# when verifying the peer certificate.
+#
+# sslcapath=... A directory containing additional CA certificates to
+# use when verifying the peer certificate.
+#
+# sslcrlfile=... A certificate revocation list file to use when
+# verifying the peer certificate.
+#
+# sslflags=... Specify various flags modifying the SSL implementation:
+#
# DONT_VERIFY_PEER
# Accept certificates even if they fail to
# verify.
@@ -1376,19 +1767,54 @@ http_port 3128
# DONT_VERIFY_DOMAIN
# Don't verify the peer certificate
# matches the server name
-#
-# use ssldomain= to specify the peer name as advertised
-# in it's certificate. Used for verifying the correctness
-# of the received peer certificate. If not specified the
-# peer hostname will be used.
-#
-# use front-end-https to enable the "Front-End-Https: On"
-# header needed when using Squid as a SSL frontend in front
-# of Microsoft OWA. See MS KB document Q307347 for details
-# on this header. If set to auto the header will
-# only be added if the request is forwarded as a https://
-# URL.
-#
+#
+# ssldomain= The peer name as advertised in it's certificate.
+# Used for verifying the correctness of the received peer
+# certificate. If not specified the peer hostname will be
+# used.
+#
+# front-end-https
+# Enable the "Front-End-Https: On" header needed when
+# using Squid as a SSL frontend in front of Microsoft OWA.
+# See MS KB document Q307347 for details on this header.
+# If set to auto the header will only be added if the
+# request is forwarded as a https:// URL.
+#
+#
+# ==== GENERAL OPTIONS ====
+#
+# connect-timeout=N
+# A peer-specific connect timeout.
+# Also see the peer_connect_timeout directive.
+#
+# connect-fail-limit=N
+# How many times connecting to a peer must fail before
+# it is marked as down. Default is 10.
+#
+# allow-miss Disable Squid's use of only-if-cached when forwarding
+# requests to siblings. This is primarily useful when
+# icp_hit_stale is used by the sibling. To extensive use
+# of this option may result in forwarding loops, and you
+# should avoid having two-way peerings with this option.
+# For example to deny peer usage on requests from peer
+# by denying cache_peer_access if the source is a peer.
+#
+# max-conn=N Limit the amount of connections Squid may open to this
+# peer. see also
+#
+# name=xxx Unique name for the peer.
+# Required if you have multiple peers on the same host
+# but different ports.
+# This name can be used in cache_peer_access and similar
+# directives to dentify the peer.
+# Can be used by outgoing access controls through the
+# peername ACL type.
+#
+# no-tproxy Do not use the client-spoof TPROXY support when forwarding
+# requests to this peer. Use normal address selection instead.
+#
+# proxy-only objects fetched from the peer will not be stored locally.
+#
#Default:
# none
@@ -1418,7 +1844,6 @@ http_port 3128
# * There are no defaults.
# * There is also a 'cache_peer_access' tag in the ACL
# section.
-#
#Default:
# none
@@ -1430,8 +1855,7 @@ http_port 3128
#
# The syntax is identical to 'http_access' and the other lists of
# ACL elements. See the comments for 'http_access' below, or
-# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
-#
+# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
#Default:
# none
@@ -1449,7 +1873,6 @@ http_port 3128
# cache_peer cache.foo.org parent 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de
-#
#Default:
# none
@@ -1468,19 +1891,25 @@ http_port 3128
# your time between requests is greater than this timeout, you
# will see a lot of requests sent DIRECT to origin servers
# instead of to your parents.
-#
#Default:
# dead_peer_timeout 10 seconds
+# TAG: forward_max_tries
+# Controls how many different forward paths Squid will try
+# before giving up. See also forward_timeout.
+#Default:
+# forward_max_tries 10
+
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
# Note: never_direct overrides this option.
-#We recommend you to use at least the following line.
-hierarchy_stoplist cgi-bin ?
+#
+# We recommend you to use at least the following line.
+hierarchy_stoplist cgi-bin ?
# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
@@ -1515,29 +1944,25 @@ hierarchy_stoplist cgi-bin ?
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
-#
#Default:
-# cache_mem 8 MB
+# cache_mem 256 MB
# TAG: maximum_object_size_in_memory (bytes)
# Objects greater than this size will not be attempted to kept in
# the memory cache. This should be set high enough to keep objects
# accessed frequently in memory to improve performance whilst low
# enough to keep larger objects from hoarding cache_mem.
-#
#Default:
-# maximum_object_size_in_memory 8 KB
+# maximum_object_size_in_memory 512 KB
# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
# See cache_replacement_policy for details.
-#
#Default:
# memory_replacement_policy lru
-
# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------
@@ -1575,7 +2000,6 @@ hierarchy_stoplist cgi-bin ?
# For more information about the GDSF and LFUDA cache replacement
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
-#
#Default:
# cache_replacement_policy lru
@@ -1653,6 +2077,10 @@ hierarchy_stoplist cgi-bin ?
#
# The coss store type:
#
+# NP: COSS filesystem in Squid-3 has been deemed too unstable for
+# production use and has thus been removed from this release.
+# We hope that it can be made usable again soon.
+#
# block-size=n defines the "block size" for COSS cache_dir's.
# Squid uses file numbers as block numbers. Since file numbers
# are limited to 24 bits, the block size determines the maximum
@@ -1665,10 +2093,6 @@ hierarchy_stoplist cgi-bin ?
# called 'stripe' in the directory names in the config - and
# this will be created by squid -z.
#
-# The null store type:
-#
-# no options are allowed or required
-#
# Common options:
#
# no-store, no new objects should be stored to this cache_dir
@@ -1684,11 +2108,10 @@ hierarchy_stoplist cgi-bin ?
# option.
#
#Default:
-cache_dir ufs /var/cache/squid/ 100 16 256
+cache_dir ufs /var/cache/squid/ 256 16 256
# TAG: store_dir_select_algorithm
# Set this to 'round-robin' as an alternative.
-#
#Default:
# store_dir_select_algorithm least-load
@@ -1698,7 +2121,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256
# descriptors are open.
#
# A value of 0 indicates no limit.
-#
#Default:
# max_open_disk_fds 0
@@ -1706,7 +2128,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256
# Objects smaller than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 0 KB, which
# means there is no minimum.
-#
#Default:
# minimum_object_size 0 KB
@@ -1721,7 +2142,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256
# NOTE: if using the LFUDA replacement policy you should increase
# this value to maximize the byte hit rate improvement of LFUDA!
# See replacement_policy below for a discussion of this policy.
-#
#Default:
# maximum_object_size 4096 KB
@@ -1738,12 +2158,10 @@ cache_dir ufs /var/cache/squid/ 100 16 256
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
-#
#Default:
# cache_swap_low 90
# cache_swap_high 95
-
# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
@@ -1776,6 +2194,7 @@ cache_dir ufs /var/cache/squid/ 100 16 256
#
# Format codes:
#
+# % a literal % character
# >a Client source IP address
# >A Client FQDN
# >p Client source port
@@ -1785,39 +2204,98 @@ cache_dir ufs /var/cache/squid/ 100 16 256
# ts Seconds since epoch
# tu subsecond time (milliseconds)
# tl Local time. Optional strftime format argument
-# default %d/%b/%Y:%H:%M:%S %z
+# default %d/%b/%Y:%H:%M:%S %z
# tg GMT time. Optional strftime format argument
-# default %d/%b/%Y:%H:%M:%S %z
+# default %d/%b/%Y:%H:%M:%S %z
# tr Response time (milliseconds)
-# >h Request header. Optional header name argument
-# on the format header[:[separator]element]
-# <h Reply header. Optional header name argument
-# as for >h
-# un User name
-# ul User name from authentication
-# ui User name from ident
-# us User name from SSL
-# ue User name from external acl helper
-# Hs HTTP status code
-# Ss Squid request status (TCP_MISS etc)
-# Sh Squid hierarchy status (DEFAULT_PARENT etc)
-# mt MIME content type
-# rm Request method (GET/POST etc)
-# ru Request URL
-# rp Request URL-Path excluding hostname
-# rv Request protocol version
-# et Tag returned by external acl
-# ea Log string returned by external acl
-# <st Reply size including HTTP headers
-# <sH Reply high offset sent
-# <sS Upstream object size
-# % a literal % character
-#
-#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
-#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
-#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
-#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
-#
+# dt Total time spent making DNS lookups (milliseconds)
+#
+# HTTP cache related format codes:
+#
+# [http::]>h Original request header. Optional header name argument
+# on the format header[:[separator]element]
+# [http::]>ha The HTTP request headers after adaptation and redirection.
+# Optional header name argument as for >h
+# [http::]<h Reply header. Optional header name argument
+# as for >h
+# [http::]un User name
+# [http::]ul User name from authentication
+# [http::]ui User name from ident
+# [http::]us User name from SSL
+# [http::]ue User name from external acl helper
+# [http::]>Hs HTTP status code sent to the client
+# [http::]<Hs HTTP status code received from the next hop
+# [http::]Ss Squid request status (TCP_MISS etc)
+# [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
+# [http::]mt MIME content type
+# [http::]rm Request method (GET/POST etc)
+# [http::]ru Request URL
+# [http::]rp Request URL-Path excluding hostname
+# [http::]rv Request protocol version
+# [http::]et Tag returned by external acl
+# [http::]ea Log string returned by external acl
+# [http::]<st Sent reply size including HTTP headers
+# [http::]>st Received request size including HTTP headers. In the
+# case of chunked requests the chunked encoding metadata
+# are not included
+# [http::]>sh Received HTTP request headers size
+# [http::]<sh Sent HTTP reply headers size
+# [http::]st Request+Reply size including HTTP headers
+# [http::]<sH Reply high offset sent
+# [http::]<sS Upstream object size
+# [http::]<pt Peer response time in milliseconds. The timer starts
+# when the last request byte is sent to the next hop
+# and stops when the last response byte is received.
+# [http::]<tt Total server-side time in milliseconds. The timer
+# starts with the first connect request (or write I/O)
+# sent to the first selected peer. The timer stops
+# with the last I/O with the last peer.
+#
+# If ICAP is enabled, the following two codes become available (as
+# well as ICAP log codes documented with the icap_log option):
+#
+# icap::tt Total ICAP processing time for the HTTP
+# transaction. The timer ticks when ICAP
+# ACLs are checked and when ICAP
+# transaction is in progress.
+#
+# icap::<last_h The header of the last ICAP response
+# related to the HTTP transaction. Like
+# <h, accepts an optional header name
+# argument. Will not change semantics
+# when multiple ICAP transactions per HTTP
+# transaction are supported.
+#
+# If adaptation is enabled the following two codes become available:
+#
+# adapt::sum_trs Summed adaptation transaction response
+# times recorded as a comma-separated list in
+# the order of transaction start time. Each time
+# value is recorded as an integer number,
+# representing response time of one or more
+# adaptation (ICAP or eCAP) transaction in
+# milliseconds. When a failed transaction is
+# being retried or repeated, its time is not
+# logged individually but added to the
+# replacement (next) transaction. See also:
+# adapt::all_trs.
+#
+# adapt::all_trs All adaptation transaction response times.
+# Same as adaptation_strs but response times of
+# individual transactions are never added
+# together. Instead, all transaction response
+# times are recorded individually.
+#
+# You can prefix adapt::*_trs format codes with adaptation
+# service name in curly braces to record response time(s) specific
+# to that service. For example: %{my_service}adapt::sum_trs
+#
+# The default formats available (which do not need re-defining) are:
+#
+#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
+#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
+#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#Default:
# none
@@ -1843,31 +2321,121 @@ cache_dir ufs /var/cache/squid/ 100 16 256
#
# And priority could be any of:
# err, warning, notice, info, debug.
+#
+# Default:
+# access_log /var/log/squid/logs/access.log squid
+#Default:
access_log /var/log/squid/access.log squid
+# TAG: icap_log
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
+#
+# ICAP log files record ICAP transaction summaries, one line per
+# transaction.
+#
+# The icap_log option format is:
+# icap_log <filepath> [<logformat name> [acl acl ...]]
+# icap_log none [acl acl ...]]
+#
+# Please see access_log option documentation for details. The two
+# kinds of logs share the overall configuration approach and many
+# features.
+#
+# ICAP processing of a single HTTP message or transaction may
+# require multiple ICAP transactions. In such cases, multiple
+# ICAP transaction log lines will correspond to a single access
+# log line.
+#
+# ICAP log uses logformat codes that make sense for an ICAP
+# transaction. Header-related codes are applied to the HTTP header
+# embedded in an ICAP server response, with the following caveats:
+# For REQMOD, there is no HTTP response header unless the ICAP
+# server performed request satisfaction. For RESPMOD, the HTTP
+# request header is the header sent to the ICAP server. For
+# OPTIONS, there are no HTTP headers.
+#
+# The following format codes are also available for ICAP logs:
+#
+# icap::<A ICAP server IP address. Similar to <A.
+#
+# icap::<service_name ICAP service name from the icap_service
+# option in Squid configuration file.
+#
+# icap::ru ICAP Request-URI. Similar to ru.
+#
+# icap::rm ICAP request method (REQMOD, RESPMOD, or
+# OPTIONS). Similar to existing rm.
+#
+# icap::>st Bytes sent to the ICAP server (TCP payload
+# only; i.e., what Squid writes to the socket).
+#
+# icap::<st Bytes received from the ICAP server (TCP
+# payload only; i.e., what Squid reads from
+# the socket).
+#
+# icap::tr Transaction response time (in
+# milliseconds). The timer starts when
+# the ICAP transaction is created and
+# stops when the transaction is completed.
+# Similar to tr.
+#
+# icap::tio Transaction I/O time (in milliseconds). The
+# timer starts when the first ICAP request
+# byte is scheduled for sending. The timers
+# stops when the last byte of the ICAP response
+# is received.
+#
+# icap::to Transaction outcome: ICAP_ERR* for all
+# transaction errors, ICAP_OPT for OPTION
+# transactions, ICAP_ECHO for 204
+# responses, ICAP_MOD for message
+# modification, and ICAP_SAT for request
+# satisfaction. Similar to Ss.
+#
+# icap::Hs ICAP response status code. Similar to Hs.
+#
+# icap::>h ICAP request header(s). Similar to >h.
+#
+# icap::<h ICAP response header(s). Similar to <h.
+#
+# The default ICAP log format, which can be used without an explicit
+# definition, is called icap_squid:
+#
+#logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
+#
+# See also: logformat, log_icap, and %icap::<last_h
+#Default:
+# none
+
# TAG: log_access allow|deny acl acl...
# This options allows you to control which requests gets logged
# to access.log (see access_log directive). Requests denied for
# logging will also not be accounted for in performance counters.
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
-# TAG: cache_log
-# Cache logging file. This is where general information about
-# your cache's behavior goes. You can increase the amount of data
-# logged to this file with the "debug_options" tag below.
+# TAG: log_icap
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
#
+# This options allows you to control which requests get logged
+# to icap.log. See the icap_log directive for ICAP log details.
#Default:
cache_log /var/log/squid/cache.log
# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
-# saved and for how long. To disable, enter "none". There are
-# not really utilities to analyze this data, so you can safely
+# saved and for how long. To disable, enter "none" or remove the line.
+# There are not really utilities to analyze this data, so you can safely
# disable it.
#
+# Example:
+# cache_store_log /var/log/squid/logs/store.log
#Default:
cache_store_log /var/log/squid/store.log
@@ -1899,7 +2467,6 @@ cache_store_log /var/log/squid/store.log
# the correct 'cache_dir' entry (unless you manually rename
# them). We recommend you do NOT use this option. It is
# better to keep these index files in each 'cache_dir' directory.
-#
#Default:
# none
@@ -1918,6 +2485,8 @@ cache_store_log /var/log/squid/store.log
# in the habit of using 'squid -k rotate' instead of 'kill -USR1
# <pid>'.
#
+# Note, from Squid-3.1 this option has no effect on the cache.log,
+# that log can be rotated separately by using debug_options
#Default:
logfile_rotate 0
@@ -1927,7 +2496,6 @@ logfile_rotate 0
# emulate_httpd_log to 'off' or 'on'. The default
# is to use the native log format since it includes useful
# information Squid-specific log analyzers use.
-#
#Default:
# emulate_httpd_log off
@@ -1935,7 +2503,6 @@ logfile_rotate 0
# Log the destination IP address in the hierarchy log tag when going
# direct. Earlier Squid versions logged the hostname here. If you
# prefer the old way set this to off.
-#
#Default:
# log_ip_on_direct on
@@ -1943,7 +2510,6 @@ logfile_rotate 0
# Pathname to Squid's MIME table. You shouldn't need to change
# this, but the default file contains examples and formatting
# information if you do.
-#
#Default:
# mime_table /etc/squid/mime.conf
@@ -1953,7 +2519,6 @@ logfile_rotate 0
# safely and will appear as two bracketed fields at the end of
# the access log (for either the native or httpd-emulated log
# formats). To enable this logging set log_mime_hdrs to 'on'.
-#
#Default:
# log_mime_hdrs off
@@ -1964,7 +2529,6 @@ logfile_rotate 0
# Squid will write the User-Agent field from HTTP requests
# to the filename specified here. By default useragent_log
# is disabled.
-#
#Default:
# none
@@ -1977,13 +2541,11 @@ logfile_rotate 0
# Note that "referer" is actually a misspelling of "referrer"
# however the misspelt version has been accepted into the HTTP RFCs
# and we accept both.
-#
#Default:
# none
# TAG: pid_filename
# A filename to write the process-id to. To disable, enter "none".
-#
#Default:
pid_filename /var/run/squid/squid.pid
@@ -2004,7 +2566,6 @@ pid_filename /var/run/squid/squid.pid
# IP's connecting to it. This can (in some situations) increase
# latency, which makes your cache seem slower for interactive
# browsing.
-#
#Default:
# log_fqdn off
@@ -2013,9 +2574,8 @@ pid_filename /var/run/squid/squid.pid
# Change this to protect the privacy of your cache clients.
# A netmask of 255.255.255.0 will log all IP's in that range with
# the last digit set to '0'.
-#
#Default:
-# client_netmask 255.255.255.255
+# client_netmask no_addr
# TAG: forward_log
# Note: This option is only available if Squid is rebuilt with the
@@ -2024,14 +2584,12 @@ pid_filename /var/run/squid/squid.pid
# Logs the server-side requests.
#
# This is currently work in progress.
-#
#Default:
# none
# TAG: strip_query_terms
# By default, Squid strips query terms from requested URLs before
# logging. This protects your user's privacy.
-#
#Default:
# strip_query_terms on
@@ -2041,10 +2599,54 @@ pid_filename /var/run/squid/squid.pid
# Buffering it can speed up the writing slightly (though you are
# unlikely to need to worry unless you run with tons of debugging
# enabled in which case performance will suffer badly anyway..).
-#
#Default:
# buffered_logs off
+# TAG: netdb_filename
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icmp option
+#
+# A filename where Squid stores it's netdb state between restarts.
+# To disable, enter "none".
+#Default:
+# netdb_filename /var/log/squid/logs/netdb.state
+
+# OPTIONS FOR TROUBLESHOOTING
+# -----------------------------------------------------------------------------
+
+# TAG: cache_log
+# Cache logging file. This is where general information about
+# your cache's behavior goes. You can increase the amount of data
+# logged to this file and how often its rotated with "debug_options"
+#Default:
+cache_log /var/log/squid/cache.log
+
+# TAG: debug_options
+# Logging options are set as section,level where each source file
+# is assigned a unique section. Lower levels result in less
+# output, Full debugging (level 9) can result in a very large
+# log file, so be careful.
+#
+# The magic word "ALL" sets debugging levels for all sections.
+# We recommend normally running with "ALL,1".
+#
+# The rotate=N option can be used to keep more or less of these logs
+# than would otherwise be kept by logfile_rotate.
+# For most uses a single log should be enough to monitor current
+# events affecting Squid.
+#Default:
+# debug_options ALL,1
+
+# TAG: coredump_dir
+# By default Squid leaves core files in the directory from where
+# it was started. If you set 'coredump_dir' to a directory
+# that exists, Squid will chdir() to that directory at startup
+# and coredump files will be left there.
+#
+#Default:
+# coredump_dir none
+#
+
# OPTIONS FOR FTP GATEWAYING
# -----------------------------------------------------------------------------
@@ -2059,7 +2661,6 @@ pid_filename /var/run/squid/squid.pid
# depending on how the cache is used.
# Some ftp server also validate the email address is valid
# (for example perl.com).
-#
#Default:
# ftp_user Squid@
@@ -2067,7 +2668,6 @@ pid_filename /var/run/squid/squid.pid
# Sets the width of ftp listings. This should be set to fit in
# the width of a standard browser. Setting this too small
# can cut off long filenames when browsing ftp sites.
-#
#Default:
# ftp_list_width 32
@@ -2075,16 +2675,51 @@ pid_filename /var/run/squid/squid.pid
# If your firewall does not allow Squid to use passive
# connections, turn off this option.
#
+# Use of ftp_epsv_all option requires this to be ON.
#Default:
# ftp_passive on
+# TAG: ftp_epsv_all
+# FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+#
+# NATs may be able to put the connection on a "fast path" through the
+# translator, as the EPRT command will never be used and therefore,
+# translation of the data portion of the segments will never be needed.
+#
+# When a client only expects to do two-way FTP transfers this may be
+# useful.
+# If squid finds that it must do a three-way FTP transfer after issuing
+# an EPSV ALL command, the FTP session will fail.
+#
+# If you have any doubts about this option do not use it.
+# Squid will nicely attempt all other connection methods.
+#
+# Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv_all off
+
+# TAG: ftp_epsv
+# FTP Protocol extensions permit the use of a special "EPSV" command.
+#
+# NATs may be able to put the connection on a "fast path" through the
+# translator using EPSV, as the EPRT command will never be used
+# and therefore, translation of the data portion of the segments
+# will never be needed.
+#
+# Turning this OFF will prevent EPSV being attempted.
+# WARNING: Doing so will convert Squid back to the old behavior with all
+# the related problems with external NAT devices/layers.
+#
+# Requires ftp_passive to be ON (default) for any effect.
+#Default:
+# ftp_epsv on
+
# TAG: ftp_sanitycheck
# For security and data integrity reasons Squid by default performs
# sanity checks of the addresses of FTP data connections ensure the
# data connection is to the requested server. If you need to allow
# FTP connections to servers using another IP address for the data
# connection turn this off.
-#
#Default:
# ftp_sanitycheck on
@@ -2099,11 +2734,9 @@ pid_filename /var/run/squid/squid.pid
# try setting this directive to off. If that helps, report to the
# operator of the FTP server in question that their FTP server
# is broken and does not follow the FTP standard.
-#
#Default:
# ftp_telnet_protocol on
-
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
@@ -2111,13 +2744,11 @@ pid_filename /var/run/squid/squid.pid
# Specify the location of the diskd executable.
# Note this is only useful if you have compiled in
# diskd as one of the store io modules.
-#
#Default:
# diskd_program /usr/libexec/diskd
# TAG: unlinkd_program
# Specify the location of the executable for file deletion process.
-#
#Default:
# unlinkd_program /usr/libexec/unlinkd
@@ -2126,10 +2757,18 @@ pid_filename /var/run/squid/squid.pid
# --enable-icmp option
#
# Specify the location of the executable for the pinger process.
-#
#Default:
# pinger_program /usr/libexec/pinger
+# TAG: pinger_enable
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icmp option
+#
+# Control whether the pinger is active at run-time.
+# Enables turning ICMP pinger on and off with a simple
+# squid -k reconfigure.
+#Default:
+# pinger_enable off
# OPTIONS FOR URL REWRITING
# -----------------------------------------------------------------------------
@@ -2155,7 +2794,6 @@ pid_filename /var/run/squid/squid.pid
# URL with "301:" (moved permanently) or 302: (moved temporarily).
#
# By default, a URL rewriter is not used.
-#
#Default:
# none
@@ -2164,7 +2802,6 @@ pid_filename /var/run/squid/squid.pid
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
-#
#Default:
# url_rewrite_children 5
@@ -2173,6 +2810,11 @@ pid_filename /var/run/squid/squid.pid
# parallel. Defaults to 0 which indicates the redirector
# is a old-style single threaded redirector.
#
+# When this directive is set to a value >= 1 then the protocol
+# used to communicate with the helper is modified to include
+# a request ID in front of the request/response. The request
+# ID from the request must be echoed back with the response
+# to that request.
#Default:
# url_rewrite_concurrency 0
@@ -2183,7 +2825,6 @@ pid_filename /var/run/squid/squid.pid
#
# WARNING: Entries are cached on the result of the URL rewriting
# process, so be careful if you have domain-virtual hosts.
-#
#Default:
# url_rewrite_host_header on
@@ -2192,6 +2833,8 @@ pid_filename /var/run/squid/squid.pid
# sent to the redirector processes. By default all requests
# are sent.
#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
@@ -2205,26 +2848,26 @@ pid_filename /var/run/squid/squid.pid
# redirectors for access control, and you enable this option,
# users may have access to pages they should not
# be allowed to request.
-#
#Default:
# url_rewrite_bypass off
-
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
# TAG: cache
-# A list of ACL elements which, if matched, cause the request to
+# A list of ACL elements which, if matched and denied, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
-# You must use the word 'DENY' to indicate the ACL names which should
-# NOT be cached.
+# You must use the words 'allow' or 'deny' to indicate whether items
+# matching the ACL should be allowed or denied into the cache.
#
-# Default is to allow all to be cached
-#We recommend you to use the following two lines.
-acl QUERY urlpath_regex cgi-bin \?
-cache deny QUERY
+# Default is to allow all to be cached.
+#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# none
# TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
@@ -2251,14 +2894,21 @@ cache deny QUERY
# ignore-reload
# ignore-no-cache
# ignore-no-store
+# ignore-must-revalidate
# ignore-private
# ignore-auth
# refresh-ims
#
# override-expire enforces min age even if the server
-# sent a Expires: header. Doing this VIOLATES the HTTP
-# standard. Enabling this feature could make you liable
-# for problems which it causes.
+# sent an explicit expiry time (e.g., with the
+# Expires: header or Cache-Control: max-age). Doing this
+# VIOLATES the HTTP standard. Enabling this feature
+# could make you liable for problems which it causes.
+#
+# Note: override-expire does not enforce staleness - it only extends
+# freshness / min. If the server returns a Expires time which
+# is longer than your max time, Squid will still consider
+# the object fresh for that period of time.
#
# override-lastmod enforces min age even on objects
# that were modified recently.
@@ -2284,6 +2934,11 @@ cache deny QUERY
# the HTTP standard. Enabling this feature could make you
# liable for problems which it causes.
#
+# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
+# headers received from a server. Doing this VIOLATES
+# the HTTP standard. Enabling this feature could make you
+# liable for problems which it causes.
+#
# ignore-private ignores any ``Cache-control: private''
# headers received from a server. Doing this VIOLATES
# the HTTP standard. Enabling this feature could make you
@@ -2316,9 +2971,12 @@ cache deny QUERY
# to change one. The default setting is only active if none is
# used.
#
-#Suggested default:
+#
+
+# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# TAG: quick_abort_min (KB)
@@ -2350,7 +3008,6 @@ refresh_pattern . 0 20% 4320
#
# If you want retrievals to always continue if they are being
# cached set 'quick_abort_min' to '-1 KB'.
-#
#Default:
# quick_abort_min 16 KB
# quick_abort_max 16 KB
@@ -2359,25 +3016,29 @@ refresh_pattern . 0 20% 4320
# TAG: read_ahead_gap buffer-size
# The amount of data the cache will buffer ahead of what has been
# sent to the client when retrieving an object from another server.
-#
#Default:
# read_ahead_gap 16 KB
# TAG: negative_ttl time-units
-# Time-to-Live (TTL) for failed requests. Certain types of
-# failures (such as "connection refused" and "404 Not Found") are
-# negatively-cached for a configurable amount of time. The
-# default is 5 minutes. Note that this is different from
-# negative caching of DNS lookups.
+# Set the Default Time-to-Live (TTL) for failed requests.
+# Certain types of failures (such as "connection refused" and
+# "404 Not Found") are able to be negatively-cached for a short time.
+# Modern web servers should provide Expires: header, however if they
+# do not this can provide a minimum TTL.
+# The default is not to cache errors with unknown expiry details.
+#
+# Note that this is different from negative caching of DNS lookups.
#
+# WARNING: Doing this VIOLATES the HTTP standard. Enabling
+# this feature could make you liable for problems which it
+# causes.
#Default:
-# negative_ttl 5 minutes
+# negative_ttl 0 seconds
# TAG: positive_dns_ttl time-units
# Upper limit on how long Squid will cache positive DNS responses.
# Default is 6 hours (360 minutes). This directive must be set
# larger than negative_dns_ttl.
-#
#Default:
# positive_dns_ttl 6 hours
@@ -2386,7 +3047,6 @@ refresh_pattern . 0 20% 4320
# This also sets the lower cache limit on positive lookups.
# Minimum value is 1 second, and it is not recommendable to go
# much below 10 seconds.
-#
#Default:
# negative_dns_ttl 1 minutes
@@ -2400,32 +3060,34 @@ refresh_pattern . 0 20% 4320
# from making Squid fetch the whole object up to that point before
# sending anything to the client.
#
-# A value of -1 causes Squid to always fetch the object from the
-# beginning so it may cache the result. (2.0 style)
-#
# A value of 0 causes Squid to never fetch more than the
# client requested. (default)
#
+# A value of -1 causes Squid to always fetch the object from the
+# beginning so it may cache the result. (2.0 style)
+#
+# NP: Using -1 here will override any quick_abort settings that may
+# otherwise apply to the range request. The range request will
+# be fully fetched from start to finish regardless of the client
+# actions. This affects bandwidth usage.
#Default:
# range_offset_limit 0 KB
# TAG: minimum_expiry_time (seconds)
# The minimum caching time according to (Expires - Date)
# Headers Squid honors if the object can't be revalidated
-# defaults to 60 seconds. In reverse proxy enorinments it
+# defaults to 60 seconds. In reverse proxy environments it
# might be desirable to honor shorter object lifetimes. It
# is most likely better to make your server return a
# meaningful Last-Modified header however. In ESI environments
# where page fragments often have short lifetimes, this will
# often be best set to 0.
-#
#Default:
# minimum_expiry_time 60 seconds
# TAG: store_avg_object_size (kbytes)
# Average object size, used to estimate number of objects your
# cache can hold. The default is 13 KB.
-#
#Default:
# store_avg_object_size 13 KB
@@ -2433,11 +3095,9 @@ refresh_pattern . 0 20% 4320
# Target number of objects per bucket in the store hash table.
# Lowering this value increases the total number of buckets and
# also the storage maintenance rate. The default is 20.
-#
#Default:
# store_objects_per_bucket 20
-
# HTTP OPTIONS
# -----------------------------------------------------------------------------
@@ -2447,9 +3107,8 @@ refresh_pattern . 0 20% 4320
# Placing a limit on the request header size will catch certain
# bugs (for example with persistent connections) and possibly
# buffer-overflow or denial-of-service attacks.
-#
#Default:
-# request_header_max_size 20 KB
+# request_header_max_size 64 KB
# TAG: reply_header_max_size (KB)
# This specifies the maximum size for HTTP headers in a reply.
@@ -2457,9 +3116,8 @@ refresh_pattern . 0 20% 4320
# Placing a limit on the reply header size will catch certain
# bugs (for example with persistent connections) and possibly
# buffer-overflow or denial-of-service attacks.
-#
#Default:
-# reply_header_max_size 20 KB
+# reply_header_max_size 64 KB
# TAG: request_body_max_size (bytes)
# This specifies the maximum size for an HTTP request body.
@@ -2468,10 +3126,32 @@ refresh_pattern . 0 20% 4320
# than this limit receives an "Invalid Request" error message.
# If you set this parameter to a zero (the default), there will
# be no limit imposed.
-#
#Default:
# request_body_max_size 0 KB
+# TAG: chunked_request_body_max_size (bytes)
+# A broken or confused HTTP/1.1 client may send a chunked HTTP
+# request to Squid. Squid does not have full support for that
+# feature yet. To cope with such requests, Squid buffers the
+# entire request and then dechunks request body to create a
+# plain HTTP/1.0 request with a known content length. The plain
+# request is then used by the rest of Squid code as usual.
+#
+# The option value specifies the maximum size of the buffer used
+# to hold the request before the conversion. If the chunked
+# request size exceeds the specified limit, the conversion
+# fails, and the client receives an "unsupported request" error,
+# as if dechunking was disabled.
+#
+# Dechunking is enabled by default. To disable conversion of
+# chunked requests, set the maximum to zero.
+#
+# Request dechunking feature and this option in particular are a
+# temporary hack. When chunking requests and responses are fully
+# supported, there will be no need to buffer a chunked request.
+#Default:
+# chunked_request_body_max_size 64 KB
+
# TAG: broken_posts
# A list of ACL elements which, if matched, causes Squid to send
# an extra CRLF pair after the body of a PUT/POST request.
@@ -2486,17 +3166,29 @@ refresh_pattern . 0 20% 4320
# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
# a request with an extra CRLF.
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
#Example:
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
-#
#Default:
# none
+# TAG: icap_uses_indirect_client on|off
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-follow-x-forwarded-for and --enable-icap-client option
+#
+# Controls whether the indirect client address
+# (see follow_x_forwarded_for) instead of the
+# direct client address is passed to an ICAP
+# server as "X-Client-IP".
+#Default:
+# icap_uses_indirect_client on
+
# TAG: via on|off
# If set (default), Squid will include a Via header in requests and
# replies as required by RFC2616.
-#
#Default:
# via on
@@ -2517,7 +3209,6 @@ refresh_pattern . 0 20% 4320
# the old Squid behavior, which is better for hit ratios but
# worse for clients using IE, if they need to be able to
# force fresh content.
-#
#Default:
# ie_refresh off
@@ -2527,19 +3218,12 @@ refresh_pattern . 0 20% 4320
# when requested by a HTTP/1.0 client. This option
# enables Squid to ignore such expiry times until
# HTTP/1.1 is fully implemented.
-# WARNING: This may eventually cause some varying
-# objects not intended for caching to get cached.
#
+# WARNING: If turned on this may eventually cause some
+# varying objects not intended for caching to get cached.
#Default:
# vary_ignore_expire off
-# TAG: extension_methods
-# Squid only knows about standardized HTTP request methods.
-# You can add up to 20 additional "extension" methods here.
-#
-#Default:
-# none
-
# TAG: request_entities
# Squid defaults to deny GET and HEAD requests with request entities,
# as the meaning of such requests are undefined in the HTTP standard
@@ -2550,7 +3234,6 @@ refresh_pattern . 0 20% 4320
# that there is server software (both proxies and web servers) which
# can fail to properly process this kind of request which may make you
# vulnerable to cache pollution attacks if enabled.
-#
#Default:
# request_entities off
@@ -2620,7 +3303,6 @@ refresh_pattern . 0 20% 4320
#
# By default, all headers are allowed (no anonymizing is
# performed).
-#
#Default:
# none
@@ -2693,7 +3375,6 @@ refresh_pattern . 0 20% 4320
#
# By default, all headers are allowed (no anonymizing is
# performed).
-#
#Default:
# none
@@ -2709,7 +3390,6 @@ refresh_pattern . 0 20% 4320
# This only applies to request headers, not reply headers.
#
# By default, headers are removed if denied.
-#
#Default:
# none
@@ -2725,10 +3405,18 @@ refresh_pattern . 0 20% 4320
#
# If set to "off" then such HTTP errors will cause the request
# or response to be rejected.
-#
#Default:
# relaxed_header_parser on
+# TAG: ignore_expect_100 on|off
+# This option makes Squid ignore any Expect: 100-continue header present
+# in the request. RFC 2616 requires that Squid being unable to satisfy
+# the response expectation MUST return a 417 error.
+#
+# Note: Enabling this is a HTTP protocol violation, but some clients may
+# not handle it well..
+#Default:
+# ignore_expect_100 off
# TIMEOUTS
# -----------------------------------------------------------------------------
@@ -2736,7 +3424,6 @@ refresh_pattern . 0 20% 4320
# TAG: forward_timeout time-units
# This parameter specifies how long Squid should at most attempt in
# finding a forwarding path for the request before giving up.
-#
#Default:
# forward_timeout 4 minutes
@@ -2744,7 +3431,6 @@ refresh_pattern . 0 20% 4320
# This parameter specifies how long to wait for the TCP connect to
# the requested server or peer to complete before Squid should
# attempt to find another path where to forward the request.
-#
#Default:
# connect_timeout 1 minute
@@ -2753,7 +3439,6 @@ refresh_pattern . 0 20% 4320
# connection to a peer cache. The default is 30 seconds. You
# may also set different timeout values for individual neighbors
# with the 'connect-timeout' option on a 'cache_peer' line.
-#
#Default:
# peer_connect_timeout 30 seconds
@@ -2763,21 +3448,18 @@ refresh_pattern . 0 20% 4320
# amount. If no data is read again after this amount of time,
# the request is aborted and logged with ERR_READ_TIMEOUT. The
# default is 15 minutes.
-#
#Default:
# read_timeout 15 minutes
# TAG: request_timeout
# How long to wait for an HTTP request after initial
# connection establishment.
-#
#Default:
# request_timeout 5 minutes
# TAG: persistent_request_timeout
# How long to wait for the next HTTP request on a persistent
# connection after the previous request completes.
-#
#Default:
# persistent_request_timeout 2 minutes
@@ -2796,7 +3478,6 @@ refresh_pattern . 0 20% 4320
# If you seem to have many client connections tying up
# filedescriptors, we recommend first tuning the read_timeout,
# request_timeout, persistent_request_timeout and quick_abort values.
-#
#Default:
# client_lifetime 1 day
@@ -2804,19 +3485,21 @@ refresh_pattern . 0 20% 4320
# Some clients may shutdown the sending side of their TCP
# connections, while leaving their receiving sides open. Sometimes,
# Squid can not tell the difference between a half-closed and a
-# fully-closed TCP connection. By default, half-closed client
-# connections are kept open until a read(2) or write(2) on the
-# socket returns an error. Change this option to 'off' and Squid
-# will immediately close client connections when read(2) returns
-# "no more data to read."
+# fully-closed TCP connection.
+#
+# By default, Squid will immediately close client connections when
+# read(2) returns "no more data to read."
#
+# Change this option to 'on' and Squid will keep open connections
+# until a read(2) or write(2) on the socket returns an error.
+# This may show some benefits for reverse proxies. But if not
+# it is recommended to leave OFF.
#Default:
-# half_closed_clients on
+# half_closed_clients off
# TAG: pconn_timeout
# Timeout for idle persistent connections to servers and other
# proxies.
-#
#Default:
# pconn_timeout 1 minute
@@ -2826,7 +3509,6 @@ refresh_pattern . 0 20% 4320
# If this is too high, and you enabled IDENT lookups from untrusted
# users, you might be susceptible to denial-of-service by having
# many ident requests going at once.
-#
#Default:
# ident_timeout 10 seconds
@@ -2836,18 +3518,15 @@ refresh_pattern . 0 20% 4320
# This value is the lifetime to set for all open descriptors
# during shutdown mode. Any active clients after this many
# seconds will receive a 'timeout' message.
-#
#Default:
# shutdown_lifetime 30 seconds
-
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
# TAG: cache_mgr
# Email-address of local cache manager who will receive
# mail if the cache dies. The default is "webmaster."
-#
#Default:
# cache_mgr webmaster
@@ -2856,7 +3535,6 @@ refresh_pattern . 0 20% 4320
# The default is to use 'appname@unique_hostname'.
# Default appname value is "squid", can be changed into
# src/globals.h before building squid.
-#
#Default:
# none
@@ -2867,7 +3545,6 @@ refresh_pattern . 0 20% 4320
# mail-program recipient < mailfile
#
# Optional command line options can be specified.
-#
#Default:
# mail_program mail
@@ -2876,7 +3553,6 @@ refresh_pattern . 0 20% 4320
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
-#
#Default:
cache_effective_user nobody
@@ -2896,13 +3572,11 @@ cache_effective_user nobody
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
-#
#Default:
cache_effective_group nobody
# TAG: httpd_suppress_version_string on|off
# Suppress Squid version string info in HTTP headers and HTML error pages.
-#
#Default:
# httpd_suppress_version_string off
@@ -2912,7 +3586,6 @@ cache_effective_group nobody
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
-#
#Default:
# none
@@ -2920,16 +3593,22 @@ cache_effective_group nobody
# If you want to have multiple machines with the same
# 'visible_hostname' you must give each machine a different
# 'unique_hostname' so forwarding loops can be detected.
-#
#Default:
# none
# TAG: hostname_aliases
# A list of other DNS names your cache has.
-#
#Default:
# none
+# TAG: umask
+# Minimum umask which should be enforced while the proxy
+# is running, in addition to the umask set at startup.
+#
+# For a traditional octal representation of umasks, start
+# your value with 0.
+#Default:
+# umask 027
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# -----------------------------------------------------------------------------
@@ -2958,14 +3637,12 @@ cache_effective_group nobody
# default is `0' which disables sending the announcement
# messages.
#
-# To enable announcing your cache, just uncomment the line
-# below.
+# To enable announcing your cache, just set an announce period.
#
+# Example:
+# announce_period 1 day
#Default:
# announce_period 0
-#
-#To enable announcing your cache, just uncomment the line below.
-#announce_period 1 day
# TAG: announce_host
# TAG: announce_file
@@ -2977,49 +3654,43 @@ cache_effective_group nobody
# default default to 3131. If the 'filename' argument is given,
# the contents of that file will be included in the announce
# message.
-#
#Default:
# announce_host tracker.ircache.net
# announce_port 3131
-
# HTTPD-ACCELERATOR OPTIONS
# -----------------------------------------------------------------------------
# TAG: httpd_accel_surrogate_id
# Note: This option is only available if Squid is rebuilt with the
-# -DUSE_SQUID_ESI define
+# --enable-esi option
#
# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
# need an identification token to allow control targeting. Because
# a farm of surrogates may all perform the same tasks, they may share
# an identification token.
-#
#Default:
# httpd_accel_surrogate_id unset-id
# TAG: http_accel_surrogate_remote on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DUSE_SQUID_ESI define
+# --enable-esi option
#
# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
# Set this to on to have squid behave as a remote surrogate.
-#
#Default:
# http_accel_surrogate_remote off
# TAG: esi_parser libxml2|expat|custom
# Note: This option is only available if Squid is rebuilt with the
-# -DUSE_SQUID_ESI define
+# --enable-esi option
#
# ESI markup is not strictly XML compatible. The custom ESI parser
# will give higher performance, but cannot handle non ASCII character
# encodings.
-#
#Default:
# esi_parser custom
-
# DELAY POOL PARAMETERS
# -----------------------------------------------------------------------------
@@ -3030,7 +3701,6 @@ cache_effective_group nobody
# This represents the number of delay pools to be used. For example,
# if you have one class 2 delay pool and one class 3 delays pool, you
# have a total of 2 delay pools.
-#
#Default:
# delay_pools 0
@@ -3043,12 +3713,12 @@ cache_effective_group nobody
# delay pools, one of class 2 and one of class 3, the settings above
# and here would be:
#
-#Example:
-# delay_pools 4 # 4 delay pools
-# delay_class 1 2 # pool 1 is a class 2 pool
-# delay_class 2 3 # pool 2 is a class 3 pool
-# delay_class 3 4 # pool 3 is a class 4 pool
-# delay_class 4 5 # pool 4 is a class 5 pool
+# Example:
+# delay_pools 4 # 4 delay pools
+# delay_class 1 2 # pool 1 is a class 2 pool
+# delay_class 2 3 # pool 2 is a class 3 pool
+# delay_class 3 4 # pool 3 is a class 4 pool
+# delay_class 4 5 # pool 4 is a class 5 pool
#
# The delay pool classes are:
#
@@ -3057,13 +3727,13 @@ cache_effective_group nobody
#
# class 2 Everything is limited by a single aggregate
# bucket as well as an "individual" bucket chosen
-# from bits 25 through 32 of the IP address.
+# from bits 25 through 32 of the IPv4 address.
#
# class 3 Everything is limited by a single aggregate
# bucket as well as a "network" bucket chosen
# from bits 17 through 24 of the IP address and a
# "individual" bucket chosen from bits 17 through
-# 32 of the IP address.
+# 32 of the IPv4 address.
#
# class 4 Everything in a class 3 delay pool, with an
# additional limit on a per user basis. This
@@ -3079,6 +3749,8 @@ cache_effective_group nobody
# -> bits 17 through 24 are "c"
# -> bits 17 through 32 are "c * 256 + d"
#
+# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
+# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
#Default:
# none
@@ -3102,7 +3774,6 @@ cache_effective_group nobody
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
# delay_access 3 allow authenticated_clients
-#
#Default:
# none
@@ -3182,7 +3853,6 @@ cache_effective_group nobody
# be limited to 128Kb no matter how many workstations they are logged into.:
#
#delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
-#
#Default:
# none
@@ -3195,16 +3865,13 @@ cache_effective_group nobody
# a host accessing it (in class 2 and class 3, individual hosts and
# networks only have buckets associated with them once they have been
# "seen" by squid).
-#
#Default:
# delay_initial_bucket_level 50
-
# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# -----------------------------------------------------------------------------
# TAG: wccp_router
-# TAG: wccp2_router
# Use this option to define your WCCP ``home'' router for
# Squid.
#
@@ -3214,9 +3881,21 @@ cache_effective_group nobody
#
# only one of the two may be used at the same time and defines
# which version of WCCP to use.
+#Default:
+# wccp_router any_addr
+
+# TAG: wccp2_router
+# Use this option to define your WCCP ``home'' router for
+# Squid.
+#
+# wccp_router supports a single WCCP(v1) router
+#
+# wccp2_router supports multiple WCCPv2 routers
#
+# only one of the two may be used at the same time and defines
+# which version of WCCP to use.
#Default:
-# wccp_router 0.0.0.0
+# none
# TAG: wccp_version
# This directive is only relevant if you need to set up WCCP(v1)
@@ -3229,14 +3908,12 @@ cache_effective_group nobody
# support WCCP version 3. If you're using that or an earlier
# version of IOS, you may need to change this value to 3, otherwise
# do not specify this parameter.
-#
#Default:
# wccp_version 4
# TAG: wccp2_rebuild_wait
# If this is enabled Squid will wait for the cache dir rebuild to finish
# before sending the first wccp2 HereIAm packet
-#
#Default:
# wccp2_rebuild_wait on
@@ -3244,22 +3921,21 @@ cache_effective_group nobody
# WCCP2 allows the setting of forwarding methods between the
# router/switch and the cache. Valid values are as follows:
#
-# 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
-# 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
#
# Currently (as of IOS 12.4) cisco routers only support GRE.
# Cisco switches only support the L2 redirect assignment method.
-#
#Default:
-# wccp2_forwarding_method 1
+# wccp2_forwarding_method gre
# TAG: wccp2_return_method
# WCCP2 allows the setting of return methods between the
# router/switch and the cache for packets that the cache
# decides not to handle. Valid values are as follows:
#
-# 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
-# 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
+# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
+# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
#
# Currently (as of IOS 12.4) cisco routers only support GRE.
# Cisco switches only support the L2 redirect assignment.
@@ -3268,22 +3944,20 @@ cache_effective_group nobody
# enabled on the cache interface, then it is still safe for
# the proxy server to use a l2 redirect method even if this
# option is set to GRE.
-#
#Default:
-# wccp2_return_method 1
+# wccp2_return_method gre
# TAG: wccp2_assignment_method
# WCCP2 allows the setting of methods to assign the WCCP hash
# Valid values are as follows:
#
-# 1 - Hash assignment
-# 2 - Mask assignment
+# hash - Hash assignment
+# mask - Mask assignment
#
# As a general rule, cisco routers support the hash assignment method
# and cisco switches support the mask assignment method.
-#
#Default:
-# wccp2_assignment_method 1
+# wccp2_assignment_method hash
# TAG: wccp2_service
# WCCP2 allows for multiple traffic services. There are two
@@ -3305,8 +3979,6 @@ cache_effective_group nobody
# wccp2_service dynamic 80 # a dynamic service type which will be
# # fleshed out with subsequent options.
# wccp2_service standard 0 password=foo
-#
-#
#Default:
# wccp2_service standard 0
@@ -3321,7 +3993,7 @@ cache_effective_group nobody
#
# The relevant WCCPv2 flags:
# + src_ip_hash, dst_ip_hash
-# + source_port_hash, dest_port_hash
+# + source_port_hash, dst_port_hash
# + src_ip_alt_hash, dst_ip_alt_hash
# + src_port_alt_hash, dst_port_alt_hash
# + ports_source
@@ -3335,14 +4007,12 @@ cache_effective_group nobody
#
# Note: the service id must have been defined by a previous
# 'wccp2_service dynamic <id>' entry.
-#
#Default:
# none
# TAG: wccp2_weight
# Each cache server gets assigned a set of the destination
# hash proportional to their weight.
-#
#Default:
# wccp2_weight 10000
@@ -3352,12 +4022,10 @@ cache_effective_group nobody
# interface address.
#
# The default behavior is to not bind to any specific address.
-#
#Default:
# wccp_address 0.0.0.0
# wccp2_address 0.0.0.0
-
# PERSISTENT CONNECTION HANDLING
# -----------------------------------------------------------------------------
#
@@ -3369,7 +4037,6 @@ cache_effective_group nobody
# default, Squid uses persistent connections (when allowed)
# with its clients and servers. You can use these options to
# disable persistent connections with clients and/or servers.
-#
#Default:
# client_persistent_connections on
# server_persistent_connections on
@@ -3378,9 +4045,8 @@ cache_effective_group nobody
# With this directive the use of persistent connections after
# HTTP errors can be disabled. Useful if you have clients
# who fail to handle errors on persistent connections proper.
-#
#Default:
-# persistent_connection_after_error off
+# persistent_connection_after_error on
# TAG: detect_broken_pconn
# Some servers have been found to incorrectly signal the use
@@ -3391,11 +4057,9 @@ cache_effective_group nobody
# By enabling this directive Squid attempts to detect such
# broken replies and automatically assume the reply is finished
# after 10 seconds timeout.
-#
#Default:
# detect_broken_pconn off
-
# CACHE DIGEST OPTIONS
# -----------------------------------------------------------------------------
@@ -3406,7 +4070,6 @@ cache_effective_group nobody
# This controls whether the server will generate a Cache Digest
# of its contents. By default, Cache Digest generation is
# enabled if Squid is compiled with --enable-cache-digests defined.
-#
#Default:
# digest_generation on
@@ -3417,7 +4080,6 @@ cache_effective_group nobody
# This is the number of bits of the server's Cache Digest which
# will be associated with the Digest entry for a given HTTP
# Method and URL (public key) combination. The default is 5.
-#
#Default:
# digest_bits_per_entry 5
@@ -3426,7 +4088,6 @@ cache_effective_group nobody
# --enable-cache-digests option
#
# This is the wait time between Cache Digest rebuilds.
-#
#Default:
# digest_rebuild_period 1 hour
@@ -3436,7 +4097,6 @@ cache_effective_group nobody
#
# This is the wait time between Cache Digest writes to
# disk.
-#
#Default:
# digest_rewrite_period 1 hour
@@ -3447,7 +4107,6 @@ cache_effective_group nobody
# This is the number of bytes of the Cache Digest to write to
# disk at a time. It defaults to 4096 bytes (4KB), the Squid
# default swap page.
-#
#Default:
# digest_swapout_chunk_size 4096 bytes
@@ -3457,11 +4116,9 @@ cache_effective_group nobody
#
# This is the percentage of the Cache Digest to be scanned at a
# time. By default it is set to 10% of the Cache Digest.
-#
#Default:
# digest_rebuild_chunk_percentage 10
-
# SNMP OPTIONS
# -----------------------------------------------------------------------------
@@ -3470,10 +4127,11 @@ cache_effective_group nobody
# SNMP support set this to a suitable port number. Port number
# 3401 is often used for the Squid SNMP agent. By default it's
# set to "0" (disabled)
+#
+# Example:
+# snmp_port 3401
#Default:
# snmp_port 0
-#
-#snmp_port 3401
# TAG: snmp_access
# Allowing or denying access to the SNMP port.
@@ -3483,37 +4141,36 @@ cache_effective_group nobody
#
# snmp_access allow|deny [!]aclname ...
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Example:
# snmp_access allow snmppublic localhost
# snmp_access deny all
-#
#Default:
# snmp_access deny all
# TAG: snmp_incoming_address
# TAG: snmp_outgoing_address
-# Just like 'udp_incoming_address' above, but for the SNMP port.
+# Just like 'udp_incoming_address', but for the SNMP port.
#
# snmp_incoming_address is used for the SNMP socket receiving
# messages from SNMP agents.
# snmp_outgoing_address is used for SNMP packets returned to SNMP
# agents.
#
-# The default snmp_incoming_address (0.0.0.0) is to listen on all
+# The default snmp_incoming_address is to listen on all
# available network interfaces.
#
-# If snmp_outgoing_address is set to 255.255.255.255 (the default)
-# it will use the same socket as snmp_incoming_address. Only
-# change this if you want to have SNMP replies sent using another
-# address than where this Squid listens for SNMP queries.
+# If snmp_outgoing_address is not set it will use the same socket
+# as snmp_incoming_address. Only change this if you want to have
+# SNMP replies sent using another address than where this Squid
+# listens for SNMP queries.
#
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
# the same value since they both use port 3401.
-#
#Default:
-# snmp_incoming_address 0.0.0.0
-# snmp_outgoing_address 255.255.255.255
-
+# snmp_incoming_address any_addr
+# snmp_outgoing_address no_addr
# ICP OPTIONS
# -----------------------------------------------------------------------------
@@ -3522,25 +4179,26 @@ cache_effective_group nobody
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. The standard UDP port for ICP is 3130.
# Default is disabled (0).
+#
+# Example:
+# icp_port 3130
#Default:
# icp_port 0
-#
-icp_port 3130
# TAG: htcp_port
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. To turn it on you want to set it to
# 4827. By default it is set to "0" (disabled).
+#
+# Example:
+# htcp_port 4827
#Default:
# htcp_port 0
-#
-#htcp_port 4827
# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. You may wish
# do disable this if your ICP load is VERY high to speed things
# up or to simplify log analysis.
-#
#Default:
# log_icp_queries on
@@ -3560,9 +4218,8 @@ icp_port 3130
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
-#
#Default:
-# udp_incoming_address 0.0.0.0
+# udp_incoming_address any_addr
# TAG: udp_outgoing_address
# udp_outgoing_address is used for UDP packets sent out to other
@@ -3582,9 +4239,8 @@ icp_port 3130
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
-#
#Default:
-# udp_outgoing_address 255.255.255.255
+# udp_outgoing_address no_addr
# TAG: icp_hit_stale on|off
# If you want to return ICP_HIT for stale cache objects, set this
@@ -3594,21 +4250,18 @@ icp_port 3130
# it is probably okay to set this to 'on'.
# If set to 'on', your siblings should use the option "allow-miss"
# on their cache_peer lines for connecting to you.
-#
#Default:
# icp_hit_stale off
# TAG: minimum_direct_hops
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many hops away.
-#
#Default:
# minimum_direct_hops 4
# TAG: minimum_direct_rtt
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many rtt milliseconds away.
-#
#Default:
# minimum_direct_rtt 400
@@ -3618,7 +4271,6 @@ icp_port 3130
# database. These are counts, not percents. The defaults are
# 900 and 1000. When the high water mark is reached, database
# entries will be deleted until the low mark is reached.
-#
#Default:
# netdb_low 900
# netdb_high 1000
@@ -3627,7 +4279,6 @@ icp_port 3130
# The minimum period for measuring a site. There will be at
# least this much delay between successive pings to the same
# network. The default is five minutes.
-#
#Default:
# netdb_ping_period 5 minutes
@@ -3643,7 +4294,6 @@ icp_port 3130
# the minimal RTT to the origin server. When this happens, the
# hierarchy field of the access.log will be
# "CLOSEST_PARENT_MISS". This option is off by default.
-#
#Default:
# query_icmp off
@@ -3651,7 +4301,6 @@ icp_port 3130
# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
# instead of ICP_MISS if the target host is NOT in the ICMP
# database, or has a zero RTT.
-#
#Default:
# test_reachability off
@@ -3664,7 +4313,6 @@ icp_port 3130
# timeout (the old default), you would write:
#
# icp_query_timeout 2000
-#
#Default:
# icp_query_timeout 0
@@ -3675,7 +4323,6 @@ icp_port 3130
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# 'icp_query_timeout' directive.
-#
#Default:
# maximum_icp_query_timeout 2000
@@ -3687,18 +4334,15 @@ icp_port 3130
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# 'icp_query_timeout' directive.
-#
#Default:
# minimum_icp_query_timeout 5
# TAG: background_ping_rate time-units
# Controls how often the ICP pings are sent to siblings that
# have background-ping set.
-#
#Default:
# background_ping_rate 10 seconds
-
# MULTICAST ICP OPTIONS
# -----------------------------------------------------------------------------
@@ -3723,7 +4367,6 @@ icp_port 3130
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, Squid doesn't listen on any multicast groups.
-#
#Default:
# none
@@ -3736,9 +4379,8 @@ icp_port 3130
#
# Do not enable this option unless you are are absolutely
# certain you understand what you are doing.
-#
#Default:
-# mcast_miss_addr 255.255.255.255
+# mcast_miss_addr no_addr
# TAG: mcast_miss_ttl
# Note: This option is only available if Squid is rebuilt with the
@@ -3747,7 +4389,6 @@ icp_port 3130
# This is the time-to-live value for packets multicasted
# when multicasting off cache miss URLs is enabled. By
# default this is set to 'site scope', i.e. 16.
-#
#Default:
# mcast_miss_ttl 16
@@ -3757,7 +4398,6 @@ icp_port 3130
#
# This is the port number to be used in conjunction with
# 'mcast_miss_addr'.
-#
#Default:
# mcast_miss_port 3135
@@ -3767,7 +4407,6 @@ icp_port 3130
#
# The URLs that are sent in the multicast miss stream are
# encrypted. This is the encryption key.
-#
#Default:
# mcast_miss_encode_key XXXXXXXXXXXXXXXX
@@ -3777,18 +4416,15 @@ icp_port 3130
# address. This value specifies how long Squid should wait to
# count all the replies. The default is 2000 msec, or 2
# seconds.
-#
#Default:
# mcast_icp_query_timeout 2000
-
# INTERNAL ICON OPTIONS
# -----------------------------------------------------------------------------
# TAG: icon_directory
# Where the icons are stored. These are normally kept in
# /usr/share/squid/icons
-#
#Default:
# icon_directory /usr/share/squid/icons
@@ -3800,7 +4436,6 @@ icp_port 3130
# icons etc work better in complex cache hierarchies where it may
# not always be possible for all corners in the cache mesh to reach
# the server generating a directory listing.
-#
#Default:
# global_internal_static on
@@ -3811,27 +4446,62 @@ icp_port 3130
#
# If you run a complex cache hierarchy with a mix of Squid and
# other proxies you may need to disable this directive.
-#
#Default:
# short_icon_urls on
-
# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
# TAG: error_directory
# If you wish to create your own versions of the default
-# (English) error files, either to customize them to suit your
-# language or company copy the template English files to another
-# directory and point this tag at them.
+# error files to customize them to suit your company copy
+# the error/template files to another directory and point
+# this tag at them.
+#
+# WARNING: This option will disable multi-language support
+# on error pages if used.
#
# The squid developers are interested in making squid available in
# a wide variety of languages. If you are making translations for a
-# langauge that Squid does not currently provide please consider
+# language that Squid does not currently provide please consider
# contributing your translation back to the project.
+# http://wiki.squid-cache.org/Translations
+#
+# The squid developers working on translations are happy to supply drop-in
+# translated error files in exchange for any new language contributions.
+#Default:
+# none
+
+# TAG: error_default_language
+# Set the default language which squid will send error pages in
+# if no existing translation matches the clients language
+# preferences.
+#
+# If unset (default) generic English will be used.
+#
+# The squid developers are interested in making squid available in
+# a wide variety of languages. If you are interested in making
+# translations for any language see the squid wiki for details.
+# http://wiki.squid-cache.org/Translations
+#Default:
+# none
+
+# TAG: error_log_languages
+# Log to cache.log what languages users are attempting to
+# auto-negotiate for translations.
+#
+# Successful negotiations are not logged. Only failures
+# have meaning to indicate that Squid may need an upgrade
+# of its error page translations.
+#Default:
+# error_log_languages on
+
+# TAG: err_page_stylesheet
+# CSS Stylesheet to pattern the display of Squid default error pages.
#
+# For information on CSS see http://www.w3.org/Style/CSS/
#Default:
-# error_directory /usr/share/squid/errors/English
+# err_page_stylesheet /etc/squid/errorpage.css
# TAG: err_html_text
# HTML text to include in error messages. Make this a "mailto"
@@ -3842,7 +4512,6 @@ icp_port 3130
# the error template files (found in the "errors" directory).
# Wherever you want the 'err_html_text' line to appear,
# insert a %L tag in the error template file.
-#
#Default:
# none
@@ -3851,14 +4520,13 @@ icp_port 3130
# included in the mailto links of the ERR pages (if %W is set)
# so that the email body contains the data.
# Syntax is <A HREF="mailto:%w%W">%w</A>
-#
#Default:
# email_err_data on
# TAG: deny_info
# Usage: deny_info err_page_name acl
# or deny_info http://... acl
-# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
+# or deny_info TCP_RESET acl
#
# This can be used to return a ERR_ page for requests which
# do not pass the 'http_access' rules. Squid remembers the last
@@ -3872,8 +4540,9 @@ icp_port 3130
# - When none of the http_access lines matches. It's then the last
# acl processed on the last http_access line.
#
-# You may use ERR_ pages that come with Squid or create your own pages
-# and put them into the configured errors/ directory.
+# NP: If providing your own custom error pages with error_directory
+# you may also specify them by your custom file name:
+# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# Alternatively you can specify an error URL. The browsers will
# get redirected (302) to the specified URL. %s in the redirection
@@ -3881,11 +4550,9 @@ icp_port 3130
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
-#
#Default:
# none
-
# OPTIONS INFLUENCING REQUEST FORWARDING
# -----------------------------------------------------------------------------
@@ -3903,7 +4570,6 @@ icp_port 3130
#
# If you are inside an firewall see never_direct instead of
# this directive.
-#
#Default:
# nonhierarchical_direct on
@@ -3919,7 +4585,6 @@ icp_port 3130
# Note: If you want Squid to use parents for all requests see
# the never_direct directive. prefer_direct only modifies how Squid
# acts on cacheable requests.
-#
#Default:
# prefer_direct off
@@ -3958,11 +4623,10 @@ icp_port 3130
#
# NOTE: This directive is not related to caching. The replies
# is cached as usual even if you use always_direct. To not cache
-# the replies see no_cache.
-#
-# This option replaces some v1.1 options such as local_domain
-# and local_ip.
+# the replies see the 'cache' directive.
#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
@@ -3978,7 +4642,6 @@ icp_port 3130
# requests, except those in your local domain use something like:
#
# acl local-servers dstdomain .foo.net
-# acl all src 0.0.0.0/0.0.0.0
# never_direct deny local-servers
# never_direct allow all
#
@@ -3991,13 +4654,11 @@ icp_port 3130
# always_direct allow local-intranet
# never_direct allow all
#
-# This option replaces some v1.1 options such as inside_firewall
-# and firewall_ip.
-#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
-
# ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------
@@ -4010,7 +4671,6 @@ icp_port 3130
# Heavy voodoo here. I can't even believe you are reading this.
# Are you crazy? Don't even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
-#
#Default:
# incoming_icp_average 6
# incoming_http_average 4
@@ -4046,34 +4706,45 @@ icp_port 3130
#accept_filter httpready
## Linux
#accept_filter data
-#
#Default:
# none
+# TAG: client_ip_max_connections
+# Set an absolute limit on the number of connections a single
+# client IP can use. Any more than this and Squid will begin to drop
+# new connections from the client until it closes some links.
+#
+# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+# connections from the client. For finer control use the ACL access controls.
+#
+# Requires client_db to be enabled (the default).
+#
+# WARNING: This may noticably slow down traffic received via external proxies
+# or NAT devices and cause them to rebound error messages back to their clients.
+#Default:
+# client_ip_max_connections -1
+
# TAG: tcp_recv_bufsize (bytes)
# Size of receive buffer to set for TCP sockets. Probably just
# as easy to change your kernel's default. Set to zero to use
# the default buffer size.
-#
#Default:
# tcp_recv_bufsize 0 bytes
-
# ICAP OPTIONS
# -----------------------------------------------------------------------------
# TAG: icap_enable on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# If you want to enable the ICAP module support, set this to on.
-#
#Default:
# icap_enable off
# TAG: icap_connect_timeout
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# This parameter specifies how long to wait for the TCP connect to
# the requested ICAP server to complete before giving up and either
@@ -4082,13 +4753,12 @@ icp_port 3130
# The default for optional services is peer_connect_timeout.
# The default for essential services is connect_timeout.
# If this option is explicitly set, its value applies to all services.
-#
#Default:
# none
# TAG: icap_io_timeout time-units
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# This parameter specifies how long to wait for an I/O activity on
# an established, active ICAP connection before giving up and
@@ -4096,13 +4766,12 @@ icp_port 3130
# failure.
#
# The default is read_timeout.
-#
#Default:
# none
# TAG: icap_service_failure_limit
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# The limit specifies the number of failures that Squid tolerates
# when establishing a new TCP connection with an ICAP service. If
@@ -4114,13 +4783,12 @@ icp_port 3130
# A negative value disables the limit. Without the limit, an ICAP
# service will not be considered down due to connectivity failures
# between ICAP OPTIONS requests.
-#
#Default:
# icap_service_failure_limit 10
# TAG: icap_service_revival_delay
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# The delay specifies the number of seconds to wait after an ICAP
# OPTIONS request failure before requesting the options again. The
@@ -4129,13 +4797,12 @@ icp_port 3130
#
# The actual delay cannot be smaller than the hardcoded minimum
# delay of 30 seconds.
-#
#Default:
# icap_service_revival_delay 180
# TAG: icap_preview_enable on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# The ICAP Preview feature allows the ICAP server to handle the
# HTTP message by looking only at the beginning of the message body
@@ -4150,150 +4817,404 @@ icp_port 3130
# individual ICAP server OPTIONS responses, set this option to "off".
#Example:
#icap_preview_enable off
-#
#Default:
# icap_preview_enable on
# TAG: icap_preview_size
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# The default size of preview data to be sent to the ICAP server.
# -1 means no preview. This value might be overwritten on a per server
# basis by OPTIONS requests.
-#
#Default:
# icap_preview_size -1
# TAG: icap_default_options_ttl
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# The default TTL value for ICAP OPTIONS responses that don't have
# an Options-TTL header.
-#
#Default:
# icap_default_options_ttl 60
# TAG: icap_persistent_connections on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# Whether or not Squid should use persistent connections to
# an ICAP server.
-#
#Default:
# icap_persistent_connections on
# TAG: icap_send_client_ip on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# This adds the header "X-Client-IP" to ICAP requests.
-#
#Default:
# icap_send_client_ip off
# TAG: icap_send_client_username on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# This sends authenticated HTTP client username (if available) to
# the ICAP service. The username value is encoded based on the
# icap_client_username_encode option and is sent using the header
# specified by the icap_client_username_header option.
-#
#Default:
# icap_send_client_username off
# TAG: icap_client_username_header
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# ICAP request header name to use for send_client_username.
-#
#Default:
# icap_client_username_header X-Client-Username
# TAG: icap_client_username_encode on|off
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
# Whether to base64 encode the authenticated client username.
-#
#Default:
# icap_client_username_encode off
# TAG: icap_service
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-icap-client option
#
-# Defines a single ICAP service
+# Defines a single ICAP service using the following format:
#
-# icap_service servicename vectoring_point bypass service_url
+# icap_service service_name vectoring_point [options] service_url
#
-# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+# service_name: ID
+# an opaque identifier which must be unique in squid.conf
+#
+# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
# This specifies at which point of transaction processing the
# ICAP service should be activated. *_postcache vectoring points
# are not yet supported.
+#
+# service_url: icap://servername:port/servicepath
+# ICAP server and service location.
+#
+# ICAP does not allow a single service to handle both REQMOD and RESPMOD
+# transactions. Squid does not enforce that requirement. You can specify
+# services with the same service_url and different vectoring_points. You
+# can even specify multiple identical services as long as their
+# service_names differ.
+#
+#
+# Service options are separated by white space. ICAP services support
+# the following name=value options:
+#
+# bypass=on|off|1|0
+# If set to 'on' or '1', the ICAP service is treated as
+# optional. If the service cannot be reached or malfunctions,
+# Squid will try to ignore any errors and process the message as
+# if the service was not enabled. No all ICAP errors can be
+# bypassed. If set to 0, the ICAP service is treated as
+# essential and all ICAP errors will result in an error page
+# returned to the HTTP client.
+#
+# Bypass is off by default: services are treated as essential.
+#
+# routing=on|off|1|0
+# If set to 'on' or '1', the ICAP service is allowed to
+# dynamically change the current message adaptation plan by
+# returning a chain of services to be used next. The services
+# are specified using the X-Next-Services ICAP response header
+# value, formatted as a comma-separated list of service names.
+# Each named service should be configured in squid.conf and
+# should have the same method and vectoring point as the current
+# ICAP transaction. Services violating these rules are ignored.
+# An empty X-Next-Services value results in an empty plan which
+# ends the current adaptation.
+#
+# Routing is not allowed by default: the ICAP X-Next-Services
+# response header is ignored.
+#
+# Older icap_service format without optional named parameters is
+# deprecated but supported for backward compatibility.
+#
+#Example:
+#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
+#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
+#Default:
+# none
+
+# TAG: icap_class
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
+#
+# This deprecated option was documented to define an ICAP service
+# chain, even though it actually defined a set of similar, redundant
+# services, and the chains were not supported.
+#
+# To define a set of redundant services, please use the
+# adaptation_service_set directive. For service chains, use
+# adaptation_service_chain.
+#Default:
+# none
+
+# TAG: icap_access
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
+#
+# This option is deprecated. Please use adaptation_access, which
+# has the same ICAP functionality, but comes with better
+# documentation, and eCAP support.
+#Default:
+# none
+
+# eCAP OPTIONS
+# -----------------------------------------------------------------------------
+
+# TAG: ecap_enable on|off
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap option
+#
+# Controls whether eCAP support is enabled.
+#Default:
+# ecap_enable off
+
+# TAG: ecap_service
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap option
+#
+# Defines a single eCAP service
+#
+# ecap_service servicename vectoring_point bypass service_url
+#
+# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+# This specifies at which point of transaction processing the
+# eCAP service should be activated. *_postcache vectoring points
+# are not yet supported.
# bypass = 1|0
-# If set to 1, the ICAP service is treated as optional. If the
+# If set to 1, the eCAP service is treated as optional. If the
# service cannot be reached or malfunctions, Squid will try to
# ignore any errors and process the message as if the service
-# was not enabled. No all ICAP errors can be bypassed.
-# If set to 0, the ICAP service is treated as essential and all
-# ICAP errors will result in an error page returned to the
+# was not enabled. No all eCAP errors can be bypassed.
+# If set to 0, the eCAP service is treated as essential and all
+# eCAP errors will result in an error page returned to the
# HTTP client.
-# service_url = icap://servername:port/service
+# service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
#
#Example:
-#icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
-#icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
-#
+#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
+#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
#Default:
# none
-# TAG: icap_class
+# TAG: loadable_modules
+# Instructs Squid to load the specified dynamic module(s) or activate
+# preloaded module(s).
+#Example:
+#loadable_modules /usr/lib/MinimalAdapter.so
+#Default:
+# none
+
+# MESSAGE ADAPTATION OPTIONS
+# -----------------------------------------------------------------------------
+
+# TAG: adaptation_service_set
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-ecap or --enable-icap-client option
#
-# Defines an ICAP service chain. Eventually, multiple services per
-# vectoring point will be supported. For now, please specify a single
-# service per class:
#
-# icap_class classname servicename
+# Configures an ordered set of similar, redundant services. This is
+# useful when hot standby or backup adaptation servers are available.
+#
+# adaptation_service_set set_name service_name1 service_name2 ...
+#
+# The named services are used in the set declaration order. The first
+# applicable adaptation service from the set is used first. The next
+# applicable service is tried if and only if the transaction with the
+# previous service fails and the message waiting to be adapted is still
+# intact.
+#
+# When adaptation starts, broken services are ignored as if they were
+# not a part of the set. A broken service is a down optional service.
+#
+# The services in a set must be attached to the same vectoring point
+# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+# If all services in a set are optional then adaptation failures are
+# bypassable. If all services in the set are essential, then a
+# transaction failure with one service may still be retried using
+# another service from the set, but when all services fail, the master
+# transaction fails as well.
+#
+# A set may contain a mix of optional and essential services, but that
+# is likely to lead to surprising results because broken services become
+# ignored (see above), making previously bypassable failures fatal.
+# Technically, it is the bypassability of the last failed service that
+# matters.
+#
+# See also: adaptation_access adaptation_service_chain
#
#Example:
-#icap_class class_1 service_1
-#icap class class_2 service_1
-#icap class class_3 service_3
+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+#adaptation service_set svcLogger loggerLocal loggerRemote
+#Default:
+# none
+
+# TAG: adaptation_service_chain
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap or --enable-icap-client option
+#
#
+# Configures a list of complementary services that will be applied
+# one-by-one, forming an adaptation chain or pipeline. This is useful
+# when Squid must perform different adaptations on the same message.
+#
+# adaptation_service_chain chain_name service_name1 svc_name2 ...
+#
+# The named services are used in the chain declaration order. The first
+# applicable adaptation service from the chain is used first. The next
+# applicable service is applied to the successful adaptation results of
+# the previous service in the chain.
+#
+# When adaptation starts, broken services are ignored as if they were
+# not a part of the chain. A broken service is a down optional service.
+#
+# Request satisfaction terminates the adaptation chain because Squid
+# does not currently allow declaration of RESPMOD services at the
+# "reqmod_precache" vectoring point (see icap_service or ecap_service).
+#
+# The services in a chain must be attached to the same vectoring point
+# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
+#
+# A chain may contain a mix of optional and essential services. If an
+# essential adaptation fails (or the failure cannot be bypassed for
+# other reasons), the master transaction fails. Otherwise, the failure
+# is bypassed as if the failed adaptation service was not in the chain.
+#
+# See also: adaptation_access adaptation_service_set
+#
+#Example:
+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
#Default:
# none
-# TAG: icap_access
+# TAG: adaptation_access
# Note: This option is only available if Squid is rebuilt with the
-# -DICAP_CLIENT define
+# --enable-ecap or --enable-icap-client option
+#
+# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
#
-# Redirects a request through an ICAP service class, depending
-# on given acls
+# adaptation_access service_name allow|deny [!]aclname...
+# adaptation_access set_name allow|deny [!]aclname...
#
-# icap_access classname allow|deny [!]aclname...
+# At each supported vectoring point, the adaptation_access
+# statements are processed in the order they appear in this
+# configuration file. Statements pointing to the following services
+# are ignored (i.e., skipped without checking their ACL):
#
-# The icap_access statements are processed in the order they appear in
-# this configuration file. If an access list matches, the processing stops.
-# For an "allow" rule, the specified class is used for the request. A "deny"
-# rule simply stops processing without using the class. You can also use the
-# special classname "None".
+# - services serving different vectoring points
+# - "broken-but-bypassable" services
+# - "up" services configured to ignore such transactions
+# (e.g., based on the ICAP Transfer-Ignore header).
+#
+# When a set_name is used, all services in the set are checked
+# using the same rules, to find the first applicable one. See
+# adaptation_service_set for details.
+#
+# If an access list is checked and there is a match, the
+# processing stops: For an "allow" rule, the corresponding
+# adaptation service is used for the transaction. For a "deny"
+# rule, no adaptation service is activated.
+#
+# It is currently not possible to apply more than one adaptation
+# service at the same vectoring point to the same HTTP transaction.
+#
+# See also: icap_service and ecap_service
#
-# For backward compatibility, it is also possible to use services
-# directly here.
#Example:
-#icap_access class_1 allow all
+#adaptation_access service_1 allow all
+#Default:
+# none
+
+# TAG: adaptation_service_iteration_limit
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap or --enable-icap-client option
+#
+# Limits the number of iterations allowed when applying adaptation
+# services to a message. If your longest adaptation set or chain
+# may have more than 16 services, increase the limit beyond its
+# default value of 16. If detecting infinite iteration loops sooner
+# is critical, make the iteration limit match the actual number
+# of services in your longest adaptation set or chain.
#
+# Infinite adaptation loops are most likely with routing services.
+#
+# See also: icap_service routing=1
+#Default:
+# adaptation_service_iteration_limit 16
+
+# TAG: adaptation_masterx_shared_names
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap or --enable-icap-client option
+#
+# For each master transaction (i.e., the HTTP request and response
+# sequence, including all related ICAP and eCAP exchanges), Squid
+# maintains a table of metadata. The table entries are (name, value)
+# pairs shared among eCAP and ICAP exchanges. The table is destroyed
+# with the master transaction.
+#
+# This option specifies the table entry names that Squid must accept
+# from and forward to the adaptation transactions.
+#
+# An ICAP REQMOD or RESPMOD transaction may set an entry in the
+# shared table by returning an ICAP header field with a name
+# specified in adaptation_masterx_shared_names. Squid will store
+# and forward that ICAP header field to subsequent ICAP
+# transactions within the same master transaction scope.
+#
+# Only one shared entry name is supported at this time.
+#
+#Example:
+## share authentication information among ICAP services
+#adaptation_masterx_shared_names X-Subscriber-ID
#Default:
# none
+# TAG: icap_retry
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
+#
+# This ACL determines which retriable ICAP transactions are
+# retried. Transactions that received a complete ICAP response
+# and did not have to consume or produce HTTP bodies to receive
+# that response are usually retriable.
+#
+# icap_retry allow|deny [!]aclname ...
+#
+# Squid automatically retries some ICAP I/O timeouts and errors
+# due to persistent connection race conditions.
+#
+# See also: icap_retry_limit
+#Default:
+# icap_retry deny all
+
+# TAG: icap_retry_limit
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client option
+#
+# Limits the number of retries allowed. When set to zero (default),
+# no retries are allowed.
+#
+# Communication errors due to persistent connection race
+# conditions are unavoidable, automatically retried, and do not
+# count against this limit.
+#
+# See also: icap_retry
+#Default:
+# icap_retry_limit 0
# DNS OPTIONS
# -----------------------------------------------------------------------------
@@ -4302,7 +5223,6 @@ icp_port 3130
# For security and stability reasons Squid can check
# hostnames for Internet standard RFC compliance. If you want
# Squid to perform these checks turn this directive on.
-#
#Default:
# check_hostnames off
@@ -4311,7 +5231,6 @@ icp_port 3130
# but nevertheless used by many sites. Set this to off if you want
# Squid to be strict about the standard.
# This check is performed only when check_hostnames is set to on.
-#
#Default:
# allow_underscore on
@@ -4320,7 +5239,6 @@ icp_port 3130
# --disable-internal-dns option
#
# Specify the location of the executable for dnslookup process.
-#
#Default:
# cache_dns_program /usr/libexec/dnsserver
@@ -4334,7 +5252,6 @@ icp_port 3130
# is 32. The default is 5.
#
# You must have at least one dnsserver process.
-#
#Default:
# dns_children 5
@@ -4342,7 +5259,6 @@ icp_port 3130
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
#
-#
#Default:
# dns_retransmit_interval 5 seconds
@@ -4350,7 +5266,6 @@ icp_port 3130
# DNS Query timeout. If no response is received to a DNS query
# within this time all DNS servers for the queried domain
# are assumed to be unavailable.
-#
#Default:
# dns_timeout 2 minutes
@@ -4359,7 +5274,6 @@ icp_port 3130
# (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# Squid to handle single-component names, enable this option.
-#
#Default:
# dns_defnames off
@@ -4373,7 +5287,6 @@ icp_port 3130
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
-#
#Default:
# none
@@ -4400,18 +5313,9 @@ icp_port 3130
# If append_domain is used, that domain will be added to
# domain-local (i.e. not containing any dot character) host
# definitions.
-#
#Default:
# hosts_file /etc/hosts
-# TAG: dns_testnames
-# The DNS tests exit as soon as the first site is successfully looked up
-#
-# This test can be disabled with the -D command line option.
-#
-#Default:
-# dns_testnames netscape.com internic.net nlanr.net microsoft.com
-
# TAG: append_domain
# Appends local domain name to hostnames without any dots in
# them. append_domain must begin with a period.
@@ -4422,7 +5326,6 @@ icp_port 3130
#
#Example:
# append_domain .yourdomain.com
-#
#Default:
# none
@@ -4432,15 +5335,30 @@ icp_port 3130
# don't match, Squid ignores the response and writes a warning
# message to cache.log. You can allow responses from unknown
# nameservers by setting this option to 'off'.
-#
#Default:
# ignore_unknown_nameservers on
+# TAG: dns_v4_fallback
+# Standard practice with DNS is to lookup either A or AAAA records
+# and use the results if it succeeds. Only looking up the other if
+# the first attempt fails or otherwise produces no results.
+#
+# That policy however will cause squid to produce error pages for some
+# servers that advertise AAAA but are unreachable over IPv6.
+#
+# If this is ON squid will always lookup both AAAA and A, using both.
+# If this is OFF squid will lookup AAAA and only try A if none found.
+#
+# WARNING: There are some possibly unwanted side-effects with this on:
+# *) Doubles the load placed by squid on the DNS network.
+# *) May negatively impact connection delay times.
+#Default:
+# dns_v4_fallback on
+
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
-#
#Default:
# ipcache_size 1024
# ipcache_low 90
@@ -4448,11 +5366,9 @@ icp_port 3130
# TAG: fqdncache_size (number of entries)
# Maximum number of FQDN cache entries.
-#
#Default:
# fqdncache_size 1024
-
# MISCELLANEOUS
# -----------------------------------------------------------------------------
@@ -4461,7 +5377,6 @@ icp_port 3130
# available for future use. If memory is a premium on your
# system and you believe your malloc library outperforms Squid
# routines, disable this.
-#
#Default:
# memory_pools on
@@ -4477,31 +5392,37 @@ icp_port 3130
# memory_pools_limit to a reasonably high value even if your
# configuration will use less memory.
#
-# If set to zero, Squid will keep all memory it can. That is, there
+# If set to none, Squid will keep all memory it can. That is, there
# will be no limit on the total amount of memory used for safe-keeping.
#
# To disable memory allocation optimization, do not set
-# memory_pools_limit to 0. Set memory_pools to "off" instead.
+# memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
#
# An overhead for maintaining memory pools is not taken into account
# when the limit is checked. This overhead is close to four bytes per
# object kept. However, pools may actually _save_ memory because of
# reduced memory thrashing in your malloc library.
-#
#Default:
# memory_pools_limit 5 MB
-# TAG: forwarded_for on|off
-# If set, Squid will include your system's IP address or name
-# in the HTTP requests it forwards. By default it looks like
-# this:
+# TAG: forwarded_for on|off|transparent|truncate|delete
+# If set to "on", Squid will append your client's IP address
+# in the HTTP requests it forwards. By default it looks like:
#
# X-Forwarded-For: 192.1.2.3
#
-# If you disable this, it will appear as
+# If set to "off", it will appear as
#
# X-Forwarded-For: unknown
#
+# If set to "transparent", Squid will not alter the
+# X-Forwarded-For header in any way.
+#
+# If set to "delete", Squid will delete the entire
+# X-Forwarded-For header.
+#
+# If set to "truncate", Squid will remove all existing
+# X-Forwarded-For entries, and place itself as the sole entry.
#Default:
# forwarded_for on
@@ -4539,6 +5460,7 @@ icp_port 3130
# offline_toggle *
# pconn
# peer_select
+# reconfigure *
# redirector
# refresh
# server_list
@@ -4562,14 +5484,12 @@ icp_port 3130
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
-#
#Default:
# none
# TAG: client_db on|off
# If you want to disable collecting per-client statistics,
# turn off client_db here.
-#
#Default:
# client_db on
@@ -4582,7 +5502,6 @@ icp_port 3130
#
# By default (off), squid may return a Not Modified response
# based on the age of the cached version.
-#
#Default:
# refresh_all_ims off
@@ -4594,7 +5513,6 @@ icp_port 3130
# causes.
#
# see also refresh_pattern for a more selective approach.
-#
#Default:
# reload_into_ims off
@@ -4609,7 +5527,6 @@ icp_port 3130
#
# Note: This is in addition to the request re-forwarding which
# takes place if Squid fails to get a satisfying response.
-#
#Default:
# maximum_single_addr_tries 1
@@ -4618,14 +5535,12 @@ icp_port 3130
# receiving an error response. This is mainly useful if you
# are in a complex cache hierarchy to work around access
# control errors.
-#
#Default:
# retry_on_error off
# TAG: as_whois_server
# WHOIS server to query for AS numbers. NOTE: AS numbers are
# queried only when Squid starts up, not for every request.
-#
#Default:
# as_whois_server whois.ra.net
# as_whois_server whois.ra.net
@@ -4633,7 +5548,6 @@ icp_port 3130
# TAG: offline_mode
# Enable this option and Squid will never try to validate cached
# objects.
-#
#Default:
# offline_mode off
@@ -4656,42 +5570,30 @@ icp_port 3130
# chop: The request is allowed and the URI is chopped at the
# first whitespace. This might also be considered a
# violation.
-#
#Default:
# uri_whitespace strip
-# TAG: coredump_dir
-# By default Squid leaves core files in the directory from where
-# it was started. If you set 'coredump_dir' to a directory
-# that exists, Squid will chdir() to that directory at startup
-# and coredump files will be left there.
-#
-#Default:
-# coredump_dir none
-#
-# Leave coredumps in the first cache dir
-coredump_dir /var/log/squid
-
# TAG: chroot
-# Use this to have Squid do a chroot() while initializing. This
-# also causes Squid to fully drop root privileges after
-# initializing. This means, for example, if you use a HTTP
-# port less than 1024 and try to reconfigure, you will may get an
-# error saying that Squid can not open the port.
-#
+# Specifies a directory where Squid should do a chroot() while
+# initializing. This also causes Squid to fully drop root
+# privileges after initializing. This means, for example, if you
+# use a HTTP port less than 1024 and try to reconfigure, you may
+# get an error saying that Squid can not open the port.
#Default:
# none
# TAG: balance_on_multiple_ip
+# Modern IP resolvers in squid sort lookup results by preferred access.
+# By default squid will use these IP in order and only rotates to
+# the next listed when the most preffered fails.
+#
# Some load balancing servers based on round robin DNS have been
# found not to preserve user session state across requests
# to different IP addresses.
#
-# By default Squid rotates IP's per request. By disabling
-# this directive only connection failure triggers rotation.
-#
+# Enabling this directive Squid rotates IP's per request.
#Default:
-# balance_on_multiple_ip on
+# balance_on_multiple_ip off
# TAG: pipeline_prefetch
# To boost the performance of pipelined requests to closer
@@ -4700,7 +5602,6 @@ coredump_dir /var/log/squid
#
# Defaults to off for bandwidth management and access logging
# reasons.
-#
#Default:
# pipeline_prefetch off
@@ -4708,7 +5609,6 @@ coredump_dir /var/log/squid
# If the one-minute median response time exceeds this value,
# Squid prints a WARNING with debug level 0 to get the
# administrators attention. The value is in milliseconds.
-#
#Default:
# high_response_time_warning 0
@@ -4717,7 +5617,6 @@ coredump_dir /var/log/squid
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention. The value is in page faults
# per second.
-#
#Default:
# high_page_fault_warning 0
@@ -4725,7 +5624,6 @@ coredump_dir /var/log/squid
# If the memory usage (as determined by mallinfo) exceeds
# this amount, Squid prints a WARNING with debug level 0 to get
# the administrators attention.
-#
#Default:
# high_memory_warning 0 KB
@@ -4740,7 +5638,26 @@ coredump_dir /var/log/squid
# until all the child processes have been started.
# On Windows value less then 1000 (1 milliseconds) are
# rounded to 1000.
-#
#Default:
# sleep_after_fork 0
+# TAG: windows_ipaddrchangemonitor on|off
+# On Windows Squid by default will monitor IP address changes and will
+# reconfigure itself after any detected event. This is very useful for
+# proxies connected to internet with dial-up interfaces.
+# In some cases (a Proxy server acting as VPN gateway is one) it could be
+# desiderable to disable this behaviour setting this to 'off'.
+# Note: after changing this, Squid service must be restarted.
+#Default:
+# windows_ipaddrchangemonitor on
+
+# TAG: max_filedescriptors
+# The maximum number of filedescriptors supported.
+#
+# The default "0" means Squid inherits the current ulimit setting.
+#
+# Note: Changing this requires a restart of Squid. Also
+# not all comm loops supports large values.
+#Default:
+# max_filedescriptors 0
+