diff options
author | dsomero <xgizzmo@slackbuilds.org> | 2014-12-29 21:05:35 -0500 |
---|---|---|
committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2014-12-31 19:21:59 +0700 |
commit | d981329dfba8ff23476c06378f73732f9942a42d (patch) | |
tree | cc1c041aefee2a86bf542020d91c1d549d0bb10b /network/squid | |
parent | 80a3d95d9a015466489ab4d75a3dcbd3d7bec4c6 (diff) |
network/squid: Updated for version 3.4.10.
Signed-off-by: dsomero <xgizzmo@slackbuilds.org>
Diffstat (limited to 'network/squid')
-rw-r--r-- | network/squid/squid.SlackBuild | 6 | ||||
-rw-r--r-- | network/squid/squid.conf | 3778 | ||||
-rw-r--r-- | network/squid/squid.conf.documented | 3761 | ||||
-rw-r--r-- | network/squid/squid.info | 6 |
4 files changed, 5675 insertions, 1876 deletions
diff --git a/network/squid/squid.SlackBuild b/network/squid/squid.SlackBuild index b7df69b3f7a2a..1a9029f3ddc24 100644 --- a/network/squid/squid.SlackBuild +++ b/network/squid/squid.SlackBuild @@ -24,7 +24,7 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=squid -VERSION=${VERSION:-3.1.23} +VERSION=${VERSION:-3.4.10} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -86,8 +86,8 @@ CXXFLAGS="$SLKCFLAGS" \ --mandir=/usr/man \ --with-logdir=/var/log/squid \ --enable-snmp \ - --enable-auth="basic" \ - --enable-basic-auth-helpers="NCSA" \ + --enable-auth \ + --enable-auth-basic \ --enable-linux-netfilter \ --enable-async-io \ --build=$ARCH-slackware-linux \ diff --git a/network/squid/squid.conf b/network/squid/squid.conf index 804bdc8de8d88..1e9345bc307dc 100644 --- a/network/squid/squid.conf +++ b/network/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.4.10 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,140 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if <CONDITION> +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# <integer> = <integer> +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes. + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: collapsed_forwarding +# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: maximum_single_addr_tries +# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. +#Default: +# none + +# TAG: update_headers +# Remove this line. The feature is supported by default in storage types where update is implemented. +#Default: +# none + +# TAG: url_rewrite_concurrency +# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. +#Default: +# none # TAG: dns_testnames # Remove this line. DNS is no longer tested on startup. @@ -43,6 +177,10 @@ #Default: # none +# TAG: zero_buffers +#Default: +# none + # TAG: incoming_rate #Default: # none @@ -73,6 +211,16 @@ #Default: # none +# TAG: wais_relay_host +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# TAG: wais_relay_port +# Replace this line with 'cache_peer' configuration. +#Default: +# none + # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- @@ -118,9 +266,22 @@ # # "program" cmdline # Specify the command for the external authenticator. Such a program -# reads a line containing "username password" and replies "OK" or -# "ERR" in an endless loop. "ERR" responses may optionally be followed -# by a error description available as %m in the returned error page. +# reads a line containing "username password" and replies with one of +# three results: +# +# OK +# the user exists. +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# # If you use an authenticator, make sure you have 1 acl of type # proxy_auth. # @@ -130,31 +291,36 @@ # If you want to use the traditional NCSA proxy authentication, set # this line to something like # -# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd +# auth_param basic program /usr/libexec/basic_ncsa_auth /usr/etc/passwd # # "utf8" on|off -# HTTP uses iso-latin-1 as characterset, while some authentication +# HTTP uses iso-latin-1 as character set, while some authentication # backends such as LDAP expects UTF-8. If this is set to on Squid will # translate the HTTP iso-latin-1 charset to UTF-8 before sending the # username & password to the helper. # -# "children" numberofchildren -# The number of authenticator processes to spawn. If you start too few +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn. If you start too few # Squid will have to wait for them to process a backlog of credential # verifications, slowing it down. When password verifications are # done via a (slow) network you are likely to need lots of # authenticator processes. -# auth_param basic children 5 -# -# "concurrency" concurrency -# The number of concurrent requests the helper can process. -# The default of 0 is used for helpers who only supports -# one request at a time. Setting this changes the protocol used to -# include a channel number first on the request/response line, allowing -# multiple requests to be sent to the same helper in parallell without -# wating for the response. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. # Must not be set unless it's known the helper supports this. -# auth_param basic concurrency 0 +# +# auth_param basic children 20 startup=0 idle=1 # # "realm" realmstring # Specifies the realm name which is to be reported to the @@ -186,11 +352,22 @@ # "program" cmdline # Specify the command for the external authenticator. Such # a program reads a line containing "username":"realm" and -# replies with the appropriate H(A1) value hex encoded or -# ERR if the user (or his H(A1) hash) does not exists. -# See rfc 2616 for the definition of H(A1). -# "ERR" responses may optionally be followed by a error description -# available as %m in the returned error page. +# replies with one of three results: +# +# OK ha1="..." +# the user exists. The ha1= key is mandatory and +# contains the appropriate H(A1) value, hex encoded. +# See rfc 2616 for the definition of H(A1). +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. # # By default, the digest authentication scheme is not used unless a # program is specified. @@ -201,18 +378,33 @@ # auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass # # "utf8" on|off -# HTTP uses iso-latin-1 as characterset, while some authentication +# HTTP uses iso-latin-1 as character set, while some authentication # backends such as LDAP expects UTF-8. If this is set to on Squid will # translate the HTTP iso-latin-1 charset to UTF-8 before sending the # username & password to the helper. # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of H(A1) calculations, slowing it down. # When the H(A1) calculations are done via a (slow) network # you are likely to need lots of authenticator processes. -# auth_param digest children 5 +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param digest children 20 startup=0 idle=1 # # "realm" realmstring # Specifies the realm name which is to be reported to the @@ -236,7 +428,7 @@ # "nonce_strictness" on|off # Determines if squid requires strict increment-by-1 behavior # for nonce counts, or just incrementing (off - for use when -# useragents generate nonce counts that occasionally miss 1 +# user agents generate nonce counts that occasionally miss 1 # (ie, 1,2,4,6)). Default off. # # "check_nonce_count" on|off @@ -257,28 +449,34 @@ # Such a program reads exchanged NTLMSSP packets with # the browser via Squid until authentication is completed. # If you use an NTLM authenticator, make sure you have 1 acl -# of type proxy_auth. By default, the NTLM authenticator_program +# of type proxy_auth. By default, the NTLM authenticator program # is not used. # # auth_param ntlm program /usr/bin/ntlm_auth # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it # down. When credential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # -# auth_param ntlm children 5 +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param ntlm children 20 startup=0 idle=1 # # "keep_alive" on|off -# Whether to keep the connection open after the initial response where -# Squid tells the browser which schemes are supported by the proxy. -# Some browsers are known to present many login popups or to corrupt -# POST/PUT requests transfer if the connection is not closed. -# The default is currently OFF to avoid this, but may change. -# +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# # auth_param ntlm keep_alive on # # === Options for configuring the NEGOTIATE auth-scheme follow === @@ -291,51 +489,58 @@ # using the Kerberos mechanisms. # If you use a Negotiate authenticator, make sure you have at least # one acl of type proxy_auth active. By default, the negotiate -# authenticator_program is not used. +# authenticator program is not used. # The only supported program for this role is the ntlm_auth # program distributed as part of Samba, version 4 or later. # # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it -# down. When crendential verifications are done via a (slow) +# down. When credential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. -# auth_param negotiate children 5 +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param negotiate children 20 startup=0 idle=1 # # "keep_alive" on|off -# Whether to keep the connection open after the initial response where -# Squid tells the browser which schemes are supported by the proxy. -# Some browsers are known to present many login popups or to corrupt -# POST/PUT requests transfer if the connection is not closed. -# The default is currently OFF to avoid this, but may change. -# -# auth_param negotiate keep_alive on +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. # +# auth_param negotiate keep_alive on # +# # Examples: # ##Recommended minimum configuration per scheme: ##auth_param negotiate program <uncomment and complete this line to activate> -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## ##auth_param ntlm program <uncomment and complete this line to activate> -##auth_param ntlm children 5 +##auth_param ntlm children 20 startup=0 idle=1 ##auth_param ntlm keep_alive on ## ##auth_param digest program <uncomment and complete this line> -##auth_param digest children 5 +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## ##auth_param basic program <uncomment and complete this line> -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +548,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +567,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,25 +586,50 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service -# external acl lookups of this type. (default 5) -# concurrency=n concurrency level per process. Only used with helpers -# capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) +# # grace=n Percentage remaining of TTL where a refresh of a # cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# wait for a new reply. (default is for no grace period) +# +# cache=n Limit the result cache size, default is 262144. +# The expanded FORMAT value is used as the cache key, so +# if the details in FORMAT are highly variable a larger +# cache may be needed to produce reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 20) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port @@ -415,7 +645,7 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx # # %>{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +663,97 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +769,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,10 +796,10 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # # The arp ACL requires the special configure option --enable-arp-acl. @@ -516,11 +814,11 @@ # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,12 +855,16 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# # acl aclname myportname 3128 ... # http(s)_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] @@ -632,6 +934,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -677,6 +984,47 @@ # acl aclname tag tagvalue ... # # string match on tag returned by external acl helper [slow] # +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# # Examples: # acl macaddress arp 09:00:2b:23:45:67 # acl myexample dst_as 1241 @@ -685,14 +1033,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: # -acl manager proto cache_object -acl localhost src 127.0.0.1/32 ::1 -acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -739,8 +1084,8 @@ acl CONNECT method CONNECT # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -761,7 +1106,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -775,7 +1120,7 @@ acl CONNECT method CONNECT # TAG: delay_pool_uses_indirect_client on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-follow-x-forwarded-for and --enable-delay-pools option +# --enable-follow-x-forwarded-for and --enable-delay-pools # # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the @@ -790,6 +1135,37 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forewarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # @@ -812,22 +1188,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -855,7 +1231,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -863,7 +1239,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -872,7 +1248,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -880,7 +1256,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -889,11 +1267,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all -# -#Allow ICP queries from local networks only -icp_access allow localnet -icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -901,11 +1275,12 @@ icp_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -914,28 +1289,24 @@ icp_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all -# -#Allow HTCP queries from local networks only -htcp_access allow localnet -htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access # Determins whether network access is permitted when satisfying a request. @@ -944,22 +1315,21 @@ htcp_access deny all # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -983,7 +1353,7 @@ htcp_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1020,23 +1390,22 @@ htcp_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1048,7 +1417,7 @@ htcp_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # # intercept Support for IP-Layer interception of # outgoing requests without browser settings. @@ -1058,38 +1427,161 @@ htcp_access deny all # connections using the client IP address. # NP: disables authentication and maybe IPv6 on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: # # defaultsite=domainname # What to use for the Host: header if it is not present # in a request. Determines what site (not origin server) # accelerators should consider the default. -# Implies accel. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated requests with. +# Defaults to http for http_port and https for +# https_port # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=<on|off>] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. See OpenSSL documentation for details +# on how to create this file. +# WARNING: EDH ciphers will be silently disabled if this +# option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1111,22 +1603,6 @@ htcp_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1148,35 +1624,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1192,10 +1682,6 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: @@ -1204,8 +1690,8 @@ http_port 3128 # NO_TLSv1 Disallow the use of TLSv1 # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1222,10 +1708,7 @@ http_port 3128 # the capath. Implies VERIFY_CRL flag below. # # dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# DH key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1249,38 +1732,29 @@ http_port 3128 # # generate-host-certificates[=<on|off>] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. # This option is enabled by default when SslBump is used. # See the sslBump option above for more information. -# +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated # certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. -# -# vport Accelerator with IP based virtual host support. -# -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. -# -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# default value is 4MB. # +# See http_port for a list of available options. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1303,38 +1777,97 @@ http_port 3128 # # Processing proceeds in the order specified, and stops at first fully # matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persisten_connections -# to off when using this directive in such configurations. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. #Default: # none -# TAG: qos_flows +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +#Default: +# none + +# TAG: clientside_mark # Note: This option is only available if Squid is rebuilt with the -# --enable-zph-qos option +# Packet MARK (Linux) # +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that +# in practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: # -# This setting is configured by setting the source TOS values: +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1342,23 +1875,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1370,72 +1917,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perofrm the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1444,7 +2052,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1453,7 +2061,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1461,7 +2069,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1469,28 +2077,45 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # -# SSL engine options to use when proxying https:// URLs +# SSL implementation options to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# SSL_OP_NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. #Default: @@ -1498,7 +2123,7 @@ http_port 3128 # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # SSL cipher list to use when proxying https:// URLs # @@ -1508,7 +2133,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1517,7 +2142,7 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs @@ -1526,36 +2151,64 @@ http_port 3128 # TAG: ssl_bump # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first bumping "mode" which ACLs match. # -# By default, no requests are bumped. +# ssl_bump <mode> [!]acl ... +# +# The following bumping modes are supported: +# +# client-first +# Allow bumping of the connection. Establish a secure connection +# with the client first, then connect to the server. This old mode +# does not allow Squid to mimic server SSL certificate and does +# not work with intercepted SSL connections. +# +# server-first +# Allow bumping of the connection. Establish a secure connection +# with the server first, then establish a secure connection with +# the client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections. +# +# none +# Become a TCP tunnel without decoding the connection. +# Works with both CONNECT requests and intercepted SSL +# connections. This is the default behavior when no +# ssl_bump option is given or no ssl_bump ACLs match. +# +# By default, no connections are bumped. +# +# The first matching ssl_bump option wins. If no ACLs match, the +# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump +# does not have an implicit "negate the last given option" rule. You +# must make that rule explicit if you convert old ssl_bump allow/deny +# rules that rely on such an implicit rule. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com +# # Example: Bump all requests except those originating from +# # localhost or those going to example.com. +# # acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# ssl_bump none localhost +# ssl_bump none broken_sites +# ssl_bump server-first all #Default: -# none +# Does not bump unless rules are present in squid.conf # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1567,16 +2220,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1584,19 +2237,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_sign <signing algorithm> acl ... +# +# The following certificate signing algorithms are supported: # -# Default setting: sslproxy_cert_error deny all +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_adapt <adaptation algorithm> acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1609,12 +2350,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/libexec/ssl_crtd program requires -s and -M parameters @@ -1625,14 +2366,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1694,22 +2511,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1782,6 +2600,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1809,20 +2635,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1840,6 +2669,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1862,22 +2712,35 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1944,6 +2807,7 @@ http_port 3128 # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1952,10 +2816,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1983,7 +2848,8 @@ http_port 3128 # Similar to 'cache_peer_domain' but provides more flexibility by # using ACL elements. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access cache-host allow|deny [!]aclname ... # # The syntax is identical to 'http_access' and the other lists of # ACL elements. See the comments for 'http_access' below, or @@ -1992,21 +2858,20 @@ http_port 3128 # none # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2029,6 +2894,9 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: # forward_max_tries 10 @@ -2078,6 +2946,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2089,11 +2962,47 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +# +# Currently, entities exceeding 32KB in size cannot be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2109,7 +3018,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2128,7 +3037,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2137,10 +3046,33 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2155,12 +3087,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2175,23 +3113,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2209,7 +3151,49 @@ http_port 3128 # higher hit ratio at the expense of an increase in response # time. # -# The coss store type: +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes <max-size=bytes> [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots, +# one entry per slot. The database size is specified in MB. The +# slot size is specified in bytes using the max-size option. See +# below for more info on the max-size option. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# +# ==== The coss store type ==== # # NP: COSS filesystem in Squid-3 has been deemed too unstable for # production use and has thus been removed from this release. @@ -2227,25 +3211,80 @@ http_port 3128 # called 'stripe' in the directory names in the config - and # this will be created by squid -z. # -# Common options: # -# no-store, no new objects should be stored to this cache_dir +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. COSS). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. # Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# the cache_dir lines with the smallest max-size value first. # # Note for coss, max-size must be less than COSS_MEMBUF_SZ, # which can be changed with the --with-coss-membuf-size=N configure # option. # #Default: -cache_dir ufs /var/cache/squid/ 256 16 256 +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +cache_dir ufs /var/cache/squid 256 16 256 # TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# #Default: # store_dir_select_algorithm least-load @@ -2256,36 +3295,26 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) -# -# The low- and high-water marks for cache object replacement. +# The high-water mark for cache object replacement. # Replacement begins when the swap (disk) usage is above the # low-water mark and attempts to maintain utilization near the # low-water mark. As swap utilization gets close to high-water @@ -2295,6 +3324,8 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low #Default: # cache_swap_high 95 @@ -2324,21 +3355,62 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# <A Server IP address or peer name -# la Local IP address (http_port) -# lp Local port number (http_port) +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# <a Server IP address of the last server or peer connection +# <A Server FQDN or peer name +# <p Server port number of the last server or peer connection # <la Local IP address of the last server or peer connection # <lp Local port number of the last server or peer connection +# <qos Server connection TOS/DSCP value set by Squid +# <nfmark Server connection netfilter mark set by Squid +# +# Time related format codes: +# # ts Seconds since epoch # tu subsecond time (milliseconds) # tl Local time. Optional strftime format argument @@ -2348,30 +3420,50 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # tr Response time (milliseconds) # dt Total time spent making DNS lookups (milliseconds) # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# us User name from SSL +# +# HTTP related format codes: +# +# [http::]>h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h # [http::]<h Reply header. Optional header name argument # as for >h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper # [http::]>Hs HTTP status code sent to the client # [http::]<Hs HTTP status code received from the next hop -# [http::]Ss Squid request status (TCP_MISS etc) -# [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc) +# [http::]<bs Number of HTTP-equivalent message body bytes +# received from the next hop, excluding chunked +# transfer encoding and control messages. +# Generated FTP/Gopher listings are treated as +# received bodies. # [http::]mt MIME content type # [http::]rm Request method (GET/POST etc) -# [http::]ru Request URL +# [http::]>rm Request method from client +# [http::]<rm Request method sent to server or peer +# [http::]ru Request URL from client (historic, filtered for logging) +# [http::]>ru Request URL from client +# [http::]<ru Request URL sent to server or peer # [http::]rp Request URL-Path excluding hostname +# [http::]>rp Request URL-Path excluding hostname from client +# [http::]<rp Request URL-Path excluding hostname sento to server or peer # [http::]rv Request protocol version -# [http::]et Tag returned by external acl -# [http::]ea Log string returned by external acl +# [http::]>rv Request protocol version from client +# [http::]<rv Request protocol version sent to server or peer # [http::]<st Sent reply size including HTTP headers # [http::]>st Received request size including HTTP headers. In the # case of chunked requests the chunked encoding metadata @@ -2389,7 +3481,30 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # sent to the first selected peer. The timer stops # with the last I/O with the last peer. # -# If ICAP is enabled, the following two codes become available (as +# Squid handling related format codes: +# +# Ss Squid request status (TCP_MISS etc) +# Sh Squid hierarchy status (DEFAULT_PARENT etc) +# +# SSL-related format codes: +# +# ssl::bump_mode SslBump decision for the transaction: +# +# For CONNECT requests that initiated bumping of +# a connection and for any request received on +# an already bumped connection, Squid logs the +# corresponding SslBump mode ("server-first" or +# "client-first"). See the ssl_bump option for +# more information about these modes. +# +# A "none" token is logged for requests that +# triggered "ssl_bump" ACL evaluation matching +# either a "none" rule or no rules at all. +# +# In all other cases, a single dash ("-") is +# logged. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2397,14 +3512,13 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # ACLs are checked and when ICAP # transaction is in progress. # -# icap::<last_h The header of the last ICAP response -# related to the HTTP transaction. Like -# <h, accepts an optional header name -# argument. Will not change semantics -# when multiple ICAP transactions per HTTP -# transaction are supported. +# If adaptation is enabled the following three codes become available: # -# If adaptation is enabled the following two codes become available: +# adapt::<last_h The header of the last ICAP response or +# meta-information from the last eCAP +# transaction related to the HTTP transaction. +# Like <h, accepts an optional header name +# argument. # # adapt::sum_trs Summed adaptation transaction response # times recorded as a comma-separated list in @@ -2428,47 +3542,122 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # service name in curly braces to record response time(s) specific # to that service. For example: %{my_service}adapt::sum_trs # +# If SSL is enabled, the following formating codes become available: +# +# %ssl::>cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt -#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h] -#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh -#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt +#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh +#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log <filepath> [<logformat name> [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log <module>:<place> [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log <module>:<place> [<logformat name> [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # ICAP log files record ICAP transaction summaries, one line per # transaction. @@ -2513,6 +3702,13 @@ access_log /var/log/squid/access.log squid # payload only; i.e., what Squid reads from # the socket). # +# icap::<bs Number of message body bytes received from the +# ICAP server. ICAP message body, if any, usually +# includes encapsulated HTTP message headers and +# possibly encapsulated HTTP message body. The +# HTTP body part is dechunked before its size is +# computed. +# # icap::tr Transaction response time (in # milliseconds). The timer starts when # the ICAP transaction is created and @@ -2543,40 +3739,61 @@ access_log /var/log/squid/access.log squid # #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A - # -# See also: logformat, log_icap, and %icap::<last_h +# See also: logformat, log_icap, and %adapt::<last_h #Default: # none -# TAG: log_access allow|deny acl acl... -# This options allows you to control which requests gets logged -# to access.log (see access_log directive). Requests denied for -# logging will also not be accounted for in performance counters. +# TAG: logfile_daemon +# Specify the path to the logfile-writing daemon. This daemon is +# used to write the access and store logs, if configured. # -# This clause only supports fast acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Squid sends a number of commands to the log daemon: +# L<data>\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r<n>\n - set rotate count to <n> +# b<n>\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/libexec/log_file_daemon + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging #Default: # none # TAG: log_icap -# Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option -# -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# Remove this line. Use acls with icap_log directives to control icap logging #Default: # none +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: -cache_store_log /var/log/squid/store.log +# none # TAG: cache_swap_state # Location for the cache "swap.state" file. This index file holds @@ -2607,7 +3824,7 @@ cache_store_log /var/log/squid/store.log # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2624,31 +3841,26 @@ cache_store_log /var/log/squid/store.log # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # <pid>'. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. #Default: -logfile_rotate 0 +# logfile_rotate 10 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. #Default: -# emulate_httpd_log off +# none -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use %<A in the log format. #Default: -# log_ip_on_direct on +# none # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /etc/squid/mime.conf @@ -2662,24 +3874,12 @@ logfile_rotate 0 # log_mime_hdrs off # TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. +# Replace this with an access_log directive using the format 'useragent'. #Default: # none # TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. +# Replace this with an access_log directive using the format 'referrer'. #Default: # none @@ -2688,14 +3888,10 @@ logfile_rotate 0 #Default: pid_filename /var/run/squid/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. #Default: -# log_fqdn off +# none # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. @@ -2703,51 +3899,60 @@ pid_filename /var/run/squid/squid.pid # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr +# Log full client IP address # TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. +# Use a regular access.log with ACL limiting it to MISS events. #Default: # none # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp +# +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: -cache_log /var/log/squid/cache.log +# cache_log /var/log/squid/cache.log # TAG: debug_options # Logging options are set as section,level where each source file @@ -2756,14 +3961,14 @@ cache_log /var/log/squid/cache.log # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2772,35 +3977,28 @@ cache_log /var/log/squid/cache.log # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir -coredump_dir /var/log/squid/cache +coredump_dir /var/log/squid/cache/squid # OPTIONS FOR FTP GATEWAYING # ----------------------------------------------------------------------------- # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2904,7 +4102,7 @@ coredump_dir /var/log/squid/cache # TAG: pinger_program # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp # # Specify the location of the executable for the pinger process. #Default: @@ -2912,13 +4110,13 @@ coredump_dir /var/log/squid/cache # TAG: pinger_enable # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp # # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2929,68 +4127,132 @@ coredump_dir /var/log/squid/cache # # For each requested URL, the rewriter will receive on line with the format # -# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL> +# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL> +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID <SP>] result [<SP> kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In the future, the interface protocol will be extended with +# key=value pairs ("kv-pairs" shown above). Helper programs # should be prepared to receive and possibly ignore additional # whitespace-separated tokens on each input line. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -3001,6 +4263,114 @@ coredump_dir /var/log/squid/cache #Default: # url_rewrite_bypass off +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL> +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID <SP>] result [<SP> kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# +# Helper programs should be prepared to receive and possibly ignore additional +# kv-pairs with keys they do not support. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- @@ -3012,12 +4382,17 @@ coredump_dir /var/log/squid/cache # You must use the words 'allow' or 'deny' to indicate whether items # matching the ACL should be allowed or denied into the cache. # -# Default is to allow all to be cached. -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow caching, unless rules exist in squid.conf. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3042,12 +4417,13 @@ coredump_dir /var/log/squid/cache # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3063,22 +4439,18 @@ coredump_dir /var/log/squid/cache # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3105,6 +4477,16 @@ coredump_dir /var/log/squid/cache # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # # FRESH if expires < now, else STALE @@ -3123,7 +4505,9 @@ coredump_dir /var/log/squid/cache # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3146,7 +4530,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3204,44 +4588,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3280,8 +4688,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3334,18 +4745,18 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-follow-x-forwarded-for and --enable-icap-client option +# --enable-follow-x-forwarded-for and (--enable-icap-client and/or --enable-ecap) # # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3407,64 +4818,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3477,25 +4886,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3503,9 +4900,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3513,29 +4908,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3543,8 +4931,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3566,6 +4953,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3581,16 +5019,6 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off - # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3624,17 +5052,28 @@ refresh_pattern . 0 20% 4320 #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. #Default: -# persistent_request_timeout 2 minutes +# client_idle_pconn_timeout 2 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3670,11 +5109,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3699,15 +5138,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3727,7 +5166,7 @@ refresh_pattern . 0 20% 4320 # to UID of nobody. # see also; cache_effective_group #Default: -cache_effective_user nobody +# cache_effective_user nobody # TAG: cache_effective_group # Squid sets the GID to the effective user's default group ID @@ -3746,7 +5185,7 @@ cache_effective_user nobody # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -cache_effective_group nobody +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3760,14 +5199,14 @@ cache_effective_group nobody # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# none +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3806,33 +5245,32 @@ cache_effective_group nobody # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3840,28 +5278,24 @@ cache_effective_group nobody # ----------------------------------------------------------------------------- # TAG: httpd_accel_surrogate_id -# Note: This option is only available if Squid is rebuilt with the -# --enable-esi option -# # Surrogates (http://www.esi.org/architecture_spec_1.0.html) # need an identification token to allow control targeting. Because # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-esi option +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". # -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off # TAG: esi_parser libxml2|expat|custom # Note: This option is only available if Squid is rebuilt with the -# --enable-esi option +# --enable-esi # # ESI markup is not strictly XML compatible. The custom ESI parser # will give higher performance, but cannot handle non ASCII character @@ -3874,17 +5308,20 @@ cache_effective_group nobody # TAG: delay_pools # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 # TAG: delay_class # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This defines the class of each delay pool. There must be exactly one # delay_class line for each delay pool. For example, to define two @@ -3934,12 +5371,17 @@ cache_effective_group nobody # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none # TAG: delay_access # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This is used to determine which delay pool a request falls into. # @@ -3951,18 +5393,20 @@ cache_effective_group nobody # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This defines the parameters for a delay pool. Each delay pool has # a number of "buckets" associated with it, as explained in the @@ -4047,12 +5491,16 @@ cache_effective_group nobody # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none # TAG: delay_initial_bucket_level (percent, 0-100) # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # The initial bucket percentage is used to determine how much is put # in each bucket when squid starts, is reconfigured, or first notices @@ -4062,6 +5510,106 @@ cache_effective_group nobody #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4076,7 +5624,7 @@ cache_effective_group nobody # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4089,7 +5637,7 @@ cache_effective_group nobody # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4146,7 +5694,7 @@ cache_effective_group nobody # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4174,7 +5722,7 @@ cache_effective_group nobody # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4211,8 +5759,12 @@ cache_effective_group nobody # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4220,7 +5772,7 @@ cache_effective_group nobody # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4228,14 +5780,16 @@ cache_effective_group nobody # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4263,7 +5817,7 @@ cache_effective_group nobody # TAG: digest_generation # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This controls whether the server will generate a Cache Digest # of its contents. By default, Cache Digest generation is @@ -4273,7 +5827,7 @@ cache_effective_group nobody # TAG: digest_bits_per_entry # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the number of bits of the server's Cache Digest which # will be associated with the Digest entry for a given HTTP @@ -4283,7 +5837,7 @@ cache_effective_group nobody # TAG: digest_rebuild_period (seconds) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the wait time between Cache Digest rebuilds. #Default: @@ -4291,7 +5845,7 @@ cache_effective_group nobody # TAG: digest_rewrite_period (seconds) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the wait time between Cache Digest writes to # disk. @@ -4300,7 +5854,7 @@ cache_effective_group nobody # TAG: digest_swapout_chunk_size (bytes) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the number of bytes of the Cache Digest to write to # disk at a time. It defaults to 4096 bytes (4KB), the Squid @@ -4310,7 +5864,7 @@ cache_effective_group nobody # TAG: digest_rebuild_chunk_percentage (percent, 0-100) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the percentage of the Cache Digest to be scanned at a # time. By default it is set to 10% of the Cache Digest. @@ -4329,7 +5883,7 @@ cache_effective_group nobody # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4341,26 +5895,29 @@ cache_effective_group nobody # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4368,9 +5925,9 @@ cache_effective_group nobody # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4378,22 +5935,21 @@ cache_effective_group nobody # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4419,7 +5975,7 @@ cache_effective_group nobody # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4440,7 +5996,7 @@ cache_effective_group nobody # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4459,21 +6015,33 @@ cache_effective_group nobody #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4516,7 +6084,7 @@ cache_effective_group nobody # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4582,7 +6150,7 @@ cache_effective_group nobody # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4672,7 +6240,7 @@ cache_effective_group nobody # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4686,7 +6254,7 @@ cache_effective_group nobody # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4741,17 +6309,47 @@ cache_effective_group nobody # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4763,15 +6361,16 @@ cache_effective_group nobody # (matching hierarchy_stoplist or not cacheable request type) direct # to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4790,6 +6389,29 @@ cache_effective_group nobody #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4830,7 +6452,7 @@ cache_effective_group nobody # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4859,37 +6481,52 @@ cache_effective_group nobody # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4934,21 +6571,21 @@ cache_effective_group nobody # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- # TAG: icap_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # If you want to enable the ICAP module support, set this to on. #Default: @@ -4956,7 +6593,7 @@ cache_effective_group nobody # TAG: icap_connect_timeout # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This parameter specifies how long to wait for the TCP connect to # the requested ICAP server to complete before giving up and either @@ -4970,37 +6607,51 @@ cache_effective_group nobody # TAG: icap_io_timeout time-units # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This parameter specifies how long to wait for an I/O activity on # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 # TAG: icap_service_revival_delay # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The delay specifies the number of seconds to wait after an ICAP # OPTIONS request failure before requesting the options again. The @@ -5014,7 +6665,7 @@ cache_effective_group nobody # TAG: icap_preview_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The ICAP Preview feature allows the ICAP server to handle the # HTTP message by looking only at the beginning of the message body @@ -5034,17 +6685,36 @@ cache_effective_group nobody # TAG: icap_preview_size # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# Note: This option is only available if Squid is rebuilt with the +# --enable-icap-client +# +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The default TTL value for ICAP OPTIONS responses that don't have # an Options-TTL header. @@ -5053,16 +6723,16 @@ cache_effective_group nobody # TAG: icap_persistent_connections on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Whether or not Squid should use persistent connections to # an ICAP server. #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-ecap or --enable-icap-client # # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. @@ -5070,30 +6740,32 @@ cache_effective_group nobody # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-ecap or --enable-icap-client # # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username # TAG: icap_client_username_encode on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Whether to base64 encode the authenticated client username. #Default: @@ -5101,21 +6773,23 @@ cache_effective_group nobody # TAG: icap_service # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5124,6 +6798,8 @@ cache_effective_group nobody # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5145,11 +6821,12 @@ cache_effective_group nobody # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5159,18 +6836,38 @@ cache_effective_group nobody # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none # TAG: icap_class # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This deprecated option was documented to define an ICAP service # chain, even though it actually defined a set of similar, redundant @@ -5184,7 +6881,7 @@ cache_effective_group nobody # TAG: icap_access # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This option is deprecated. Please use adaptation_access, which # has the same ICAP functionality, but comes with better @@ -5197,7 +6894,7 @@ cache_effective_group nobody # TAG: ecap_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option +# --enable-ecap # # Controls whether eCAP support is enabled. #Default: @@ -5205,29 +6902,62 @@ cache_effective_group nobody # TAG: ecap_service # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option +# --enable-ecap # # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5244,7 +6974,7 @@ cache_effective_group nobody # TAG: adaptation_service_set # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # # Configures an ordered set of similar, redundant services. This is @@ -5286,7 +7016,7 @@ cache_effective_group nobody # TAG: adaptation_service_chain # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # # Configures a list of complementary services that will be applied @@ -5324,7 +7054,7 @@ cache_effective_group nobody # TAG: adaptation_access # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # Sends an HTTP transaction to an ICAP or eCAP adaptation service. # @@ -5358,11 +7088,11 @@ cache_effective_group nobody #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # Limits the number of iterations allowed when applying adaptation # services to a message. If your longest adaptation set or chain @@ -5379,7 +7109,7 @@ cache_effective_group nobody # TAG: adaptation_masterx_shared_names # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # For each master transaction (i.e., the HTTP request and response # sequence, including all related ICAP and eCAP exchanges), Squid @@ -5392,8 +7122,14 @@ cache_effective_group nobody # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5404,9 +7140,49 @@ cache_effective_group nobody #Default: # none +# TAG: adaptation_meta +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client +# +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5424,10 +7200,9 @@ cache_effective_group nobody # TAG: icap_retry_limit # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5435,7 +7210,7 @@ cache_effective_group nobody # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5457,7 +7232,7 @@ cache_effective_group nobody # TAG: cache_dns_program # Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option +# --disable-internal-dns # # Specify the location of the executable for dnslookup process. #Default: @@ -5465,21 +7240,38 @@ cache_effective_group nobody # TAG: dns_children # Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. +# --disable-internal-dns # -# You must have at least one dnsserver process. +# The maximum number of processes spawn to service DNS name lookups. +# If you limit it too few Squid will have to wait for them to process +# a backlog of requests, slowing it down. If you allow too many they +# will use RAM and other system resources noticably. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. #Default: -# dns_children 5 +# dns_children 32 startup=1 idle=1 # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5488,7 +7280,31 @@ cache_effective_group nobody # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5496,12 +7312,21 @@ cache_effective_group nobody # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5509,7 +7334,7 @@ cache_effective_group nobody # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5548,7 +7373,7 @@ cache_effective_group nobody #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5559,23 +7384,6 @@ cache_effective_group nobody #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5592,6 +7400,7 @@ cache_effective_group nobody # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5612,6 +7421,31 @@ cache_effective_group nobody # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# Previous Squid versions have defined "quoted/string" as syntax for +# ACL to signifiy the value is an included file containing values and +# has treated the " characters in other places of the configuration file +# as part of the parameter value it was used for. +# +# For compatibility with existing installations that behaviour +# remains the default. +# +# If this directive is set to 'on', Squid will start parsing each +# "quoted string" as a single configuration directive parameter. The +# quotes are stripped before the parameter value is interpreted or use. +# +# That will continue for all lines until this directive is set to 'off', +# where Squid will return to the default configuration parsing. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5662,7 +7496,7 @@ cache_effective_group nobody # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5725,7 +7559,7 @@ cache_effective_group nobody # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5756,19 +7590,22 @@ cache_effective_group nobody #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5801,20 +7638,32 @@ cache_effective_group nobody # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5841,23 +7690,28 @@ cache_effective_group nobody # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5865,14 +7719,17 @@ cache_effective_group nobody # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# # If the memory usage (as determined by mallinfo) exceeds # this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5889,6 +7746,9 @@ cache_effective_group nobody # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5898,13 +7758,49 @@ cache_effective_group nobody #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: workers +# Number of main Squid processes or "workers" to fork and maintain. +# 0: "no daemon" mode, like running "squid -N ..." +# 1: "no SMP" mode, start one main Squid process daemon (default) +# N: start N main Squid process daemons (i.e., SMP mode) +# +# In SMP mode, each worker does nearly all what a single Squid daemon +# does (e.g., listen on http_port and forward HTTP requests). +#Default: +# SMP support disabled. + +# TAG: cpu_affinity_map +# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... +# +# Sets 1:1 mapping between Squid processes and CPU cores. For example, +# +# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7 +# +# affects processes 1 through 4 only and places them on the first +# four even cores, starting with core #1. +# +# CPU cores are numbered starting from 1. Requires support for +# sched_getaffinity(2) and sched_setaffinity(2) system calls. +# +# Multiple cpu_affinity_map options are merged. +# +# See also: workers #Default: -# max_filedescriptors 0 +# Let operating system decide. diff --git a/network/squid/squid.conf.documented b/network/squid/squid.conf.documented index 3efcd48cda43f..bd70bbfa5ff80 100644 --- a/network/squid/squid.conf.documented +++ b/network/squid/squid.conf.documented @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.4.10 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,140 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if <CONDITION> +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# <integer> = <integer> +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes. + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: collapsed_forwarding +# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: maximum_single_addr_tries +# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. +#Default: +# none + +# TAG: update_headers +# Remove this line. The feature is supported by default in storage types where update is implemented. +#Default: +# none + +# TAG: url_rewrite_concurrency +# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. +#Default: +# none # TAG: dns_testnames # Remove this line. DNS is no longer tested on startup. @@ -43,6 +177,10 @@ #Default: # none +# TAG: zero_buffers +#Default: +# none + # TAG: incoming_rate #Default: # none @@ -73,6 +211,16 @@ #Default: # none +# TAG: wais_relay_host +# Replace this line with 'cache_peer' configuration. +#Default: +# none + +# TAG: wais_relay_port +# Replace this line with 'cache_peer' configuration. +#Default: +# none + # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- @@ -118,9 +266,22 @@ # # "program" cmdline # Specify the command for the external authenticator. Such a program -# reads a line containing "username password" and replies "OK" or -# "ERR" in an endless loop. "ERR" responses may optionally be followed -# by a error description available as %m in the returned error page. +# reads a line containing "username password" and replies with one of +# three results: +# +# OK +# the user exists. +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. +# # If you use an authenticator, make sure you have 1 acl of type # proxy_auth. # @@ -130,31 +291,36 @@ # If you want to use the traditional NCSA proxy authentication, set # this line to something like # -# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd +# auth_param basic program /usr/libexec/basic_ncsa_auth /usr/etc/passwd # # "utf8" on|off -# HTTP uses iso-latin-1 as characterset, while some authentication +# HTTP uses iso-latin-1 as character set, while some authentication # backends such as LDAP expects UTF-8. If this is set to on Squid will # translate the HTTP iso-latin-1 charset to UTF-8 before sending the # username & password to the helper. # -# "children" numberofchildren -# The number of authenticator processes to spawn. If you start too few +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn. If you start too few # Squid will have to wait for them to process a backlog of credential # verifications, slowing it down. When password verifications are # done via a (slow) network you are likely to need lots of # authenticator processes. -# auth_param basic children 5 -# -# "concurrency" concurrency -# The number of concurrent requests the helper can process. -# The default of 0 is used for helpers who only supports -# one request at a time. Setting this changes the protocol used to -# include a channel number first on the request/response line, allowing -# multiple requests to be sent to the same helper in parallell without -# wating for the response. +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. # Must not be set unless it's known the helper supports this. -# auth_param basic concurrency 0 +# +# auth_param basic children 20 startup=0 idle=1 # # "realm" realmstring # Specifies the realm name which is to be reported to the @@ -186,11 +352,22 @@ # "program" cmdline # Specify the command for the external authenticator. Such # a program reads a line containing "username":"realm" and -# replies with the appropriate H(A1) value hex encoded or -# ERR if the user (or his H(A1) hash) does not exists. -# See rfc 2616 for the definition of H(A1). -# "ERR" responses may optionally be followed by a error description -# available as %m in the returned error page. +# replies with one of three results: +# +# OK ha1="..." +# the user exists. The ha1= key is mandatory and +# contains the appropriate H(A1) value, hex encoded. +# See rfc 2616 for the definition of H(A1). +# +# ERR +# the user does not exist. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# "ERR" and "BH" results may optionally be followed by message="..." +# containing a description available as %m in the returned error page. # # By default, the digest authentication scheme is not used unless a # program is specified. @@ -201,18 +378,33 @@ # auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass # # "utf8" on|off -# HTTP uses iso-latin-1 as characterset, while some authentication +# HTTP uses iso-latin-1 as character set, while some authentication # backends such as LDAP expects UTF-8. If this is set to on Squid will # translate the HTTP iso-latin-1 charset to UTF-8 before sending the # username & password to the helper. # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of H(A1) calculations, slowing it down. # When the H(A1) calculations are done via a (slow) network # you are likely to need lots of authenticator processes. -# auth_param digest children 5 +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# The concurrency= option sets the number of concurrent requests the +# helper can process. The default of 0 is used for helpers who only +# supports one request at a time. Setting this to a number greater than +# 0 changes the protocol used to include a channel number first on the +# request/response line, allowing multiple requests to be sent to the +# same helper in parallel without waiting for the response. +# Must not be set unless it's known the helper supports this. +# +# auth_param digest children 20 startup=0 idle=1 # # "realm" realmstring # Specifies the realm name which is to be reported to the @@ -236,7 +428,7 @@ # "nonce_strictness" on|off # Determines if squid requires strict increment-by-1 behavior # for nonce counts, or just incrementing (off - for use when -# useragents generate nonce counts that occasionally miss 1 +# user agents generate nonce counts that occasionally miss 1 # (ie, 1,2,4,6)). Default off. # # "check_nonce_count" on|off @@ -257,28 +449,34 @@ # Such a program reads exchanged NTLMSSP packets with # the browser via Squid until authentication is completed. # If you use an NTLM authenticator, make sure you have 1 acl -# of type proxy_auth. By default, the NTLM authenticator_program +# of type proxy_auth. By default, the NTLM authenticator program # is not used. # # auth_param ntlm program /usr/bin/ntlm_auth # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it # down. When credential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # -# auth_param ntlm children 5 +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param ntlm children 20 startup=0 idle=1 # # "keep_alive" on|off -# Whether to keep the connection open after the initial response where -# Squid tells the browser which schemes are supported by the proxy. -# Some browsers are known to present many login popups or to corrupt -# POST/PUT requests transfer if the connection is not closed. -# The default is currently OFF to avoid this, but may change. -# +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. +# # auth_param ntlm keep_alive on # # === Options for configuring the NEGOTIATE auth-scheme follow === @@ -291,51 +489,58 @@ # using the Kerberos mechanisms. # If you use a Negotiate authenticator, make sure you have at least # one acl of type proxy_auth active. By default, the negotiate -# authenticator_program is not used. +# authenticator program is not used. # The only supported program for this role is the ntlm_auth # program distributed as part of Samba, version 4 or later. # # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego # -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). +# "children" numberofchildren [startup=N] [idle=N] +# The maximum number of authenticator processes to spawn (default 5). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it -# down. When crendential verifications are done via a (slow) +# down. When credential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. -# auth_param negotiate children 5 +# +# The startup= and idle= options permit some skew in the exact amount +# run. A minimum of startup=N will begin during startup and reconfigure. +# Squid will start more in groups of up to idle=N in an attempt to meet +# traffic needs and to keep idle=N free above those traffic needs up to +# the maximum. +# +# auth_param negotiate children 20 startup=0 idle=1 # # "keep_alive" on|off -# Whether to keep the connection open after the initial response where -# Squid tells the browser which schemes are supported by the proxy. -# Some browsers are known to present many login popups or to corrupt -# POST/PUT requests transfer if the connection is not closed. -# The default is currently OFF to avoid this, but may change. -# -# auth_param negotiate keep_alive on +# If you experience problems with PUT/POST requests when using the +# Negotiate authentication scheme then you can try setting this to +# off. This will cause Squid to forcibly close the connection on +# the initial requests where the browser asks which schemes are +# supported by the proxy. # +# auth_param negotiate keep_alive on # +# # Examples: # ##Recommended minimum configuration per scheme: ##auth_param negotiate program <uncomment and complete this line to activate> -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## ##auth_param ntlm program <uncomment and complete this line to activate> -##auth_param ntlm children 5 +##auth_param ntlm children 20 startup=0 idle=1 ##auth_param ntlm keep_alive on ## ##auth_param digest program <uncomment and complete this line> -##auth_param digest children 5 +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## ##auth_param basic program <uncomment and complete this line> -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +548,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +567,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,25 +586,50 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service -# external acl lookups of this type. (default 5) -# concurrency=n concurrency level per process. Only used with helpers -# capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) +# # grace=n Percentage remaining of TTL where a refresh of a # cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# wait for a new reply. (default is for no grace period) +# +# cache=n Limit the result cache size, default is 262144. +# The expanded FORMAT value is used as the cache key, so +# if the details in FORMAT are highly variable a larger +# cache may be needed to produce reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service +# external acl lookups of this type. (default 20) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# +# concurrency=n concurrency level per process. Only used with helpers +# capable of processing more than one query at a time. +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port @@ -415,7 +645,7 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx # # %>{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +663,97 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +769,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,10 +796,10 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # # The arp ACL requires the special configure option --enable-arp-acl. @@ -516,11 +814,11 @@ # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,12 +855,16 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# # acl aclname myportname 3128 ... # http(s)_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] @@ -632,6 +934,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -677,6 +984,47 @@ # acl aclname tag tagvalue ... # # string match on tag returned by external acl helper [slow] # +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# # Examples: # acl macaddress arp 09:00:2b:23:45:67 # acl myexample dst_as 1241 @@ -685,14 +1033,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: # -acl manager proto cache_object -acl localhost src 127.0.0.1/32 ::1 -acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -739,8 +1084,8 @@ acl CONNECT method CONNECT # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -761,7 +1106,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -775,7 +1120,7 @@ acl CONNECT method CONNECT # TAG: delay_pool_uses_indirect_client on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-follow-x-forwarded-for and --enable-delay-pools option +# --enable-follow-x-forwarded-for and --enable-delay-pools # # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the @@ -790,6 +1135,37 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forewarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # @@ -812,22 +1188,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -855,7 +1231,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -863,7 +1239,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -872,7 +1248,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -880,7 +1256,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -889,7 +1267,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -897,11 +1275,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -910,24 +1289,24 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access # Determins whether network access is permitted when satisfying a request. @@ -936,22 +1315,21 @@ http_access deny all # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -975,7 +1353,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1012,23 +1390,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1040,7 +1417,7 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # # intercept Support for IP-Layer interception of # outgoing requests without browser settings. @@ -1050,38 +1427,161 @@ http_access deny all # connections using the client IP address. # NP: disables authentication and maybe IPv6 on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: # # defaultsite=domainname # What to use for the Host: header if it is not present # in a request. Determines what site (not origin server) # accelerators should consider the default. -# Implies accel. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated requests with. +# Defaults to http for http_port and https for +# https_port # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=<on|off>] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when ssl-bump is used. +# See the ssl-bump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# dhparams= File containing DH parameters for temporary/ephemeral +# DH key exchanges. See OpenSSL documentation for details +# on how to create this file. +# WARNING: EDH ciphers will be silently disabled if this +# option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1103,22 +1603,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1140,35 +1624,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# Requires tproxy or intercept. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options +# +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1184,10 +1682,6 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: @@ -1196,8 +1690,8 @@ http_port 3128 # NO_TLSv1 Disallow the use of TLSv1 # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1214,10 +1708,7 @@ http_port 3128 # the capath. Implies VERIFY_CRL flag below. # # dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# DH key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1241,38 +1732,29 @@ http_port 3128 # # generate-host-certificates[=<on|off>] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. # This option is enabled by default when SslBump is used. # See the sslBump option above for more information. -# +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated # certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. -# -# vport Accelerator with IP based virtual host support. -# -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. -# -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# default value is 4MB. # +# See http_port for a list of available options. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1295,38 +1777,97 @@ http_port 3128 # # Processing proceeds in the order specified, and stops at first fully # matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persisten_connections -# to off when using this directive in such configurations. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. #Default: # none -# TAG: qos_flows +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +#Default: +# none + +# TAG: clientside_mark # Note: This option is only available if Squid is rebuilt with the -# --enable-zph-qos option +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... # +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. +#Default: +# none + +# TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that +# in practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). +# +# Mark values can be any unsigned 32-bit integer value. +# +# This setting is configured by setting the following values: # -# This setting is configured by setting the source TOS values: +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1334,23 +1875,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1362,72 +1917,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perofrm the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1436,7 +2052,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1445,7 +2061,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1453,7 +2069,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1461,28 +2077,45 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # -# SSL engine options to use when proxying https:// URLs +# SSL implementation options to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# SSL_OP_NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. #Default: @@ -1490,7 +2123,7 @@ http_port 3128 # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # SSL cipher list to use when proxying https:// URLs # @@ -1500,7 +2133,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1509,7 +2142,7 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs @@ -1518,36 +2151,64 @@ http_port 3128 # TAG: ssl_bump # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first bumping "mode" which ACLs match. +# +# ssl_bump <mode> [!]acl ... # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# The following bumping modes are supported: # -# By default, no requests are bumped. +# client-first +# Allow bumping of the connection. Establish a secure connection +# with the client first, then connect to the server. This old mode +# does not allow Squid to mimic server SSL certificate and does +# not work with intercepted SSL connections. +# +# server-first +# Allow bumping of the connection. Establish a secure connection +# with the server first, then establish a secure connection with +# the client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections. +# +# none +# Become a TCP tunnel without decoding the connection. +# Works with both CONNECT requests and intercepted SSL +# connections. This is the default behavior when no +# ssl_bump option is given or no ssl_bump ACLs match. +# +# By default, no connections are bumped. +# +# The first matching ssl_bump option wins. If no ACLs match, the +# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump +# does not have an implicit "negate the last given option" rule. You +# must make that rule explicit if you convert old ssl_bump allow/deny +# rules that rely on such an implicit rule. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com +# # Example: Bump all requests except those originating from +# # localhost or those going to example.com. +# # acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# ssl_bump none localhost +# ssl_bump none broken_sites +# ssl_bump server-first all #Default: -# none +# Does not bump unless rules are present in squid.conf # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1559,16 +2220,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1576,19 +2237,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_sign <signing algorithm> acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# +# sslproxy_cert_adapt <adaptation algorithm> acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. # -# Default setting: sslproxy_cert_error deny all +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --enable-ssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1601,12 +2350,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/libexec/ssl_crtd program requires -s and -M parameters @@ -1617,14 +2366,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1686,22 +2511,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1774,6 +2600,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1801,20 +2635,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1832,6 +2669,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1854,22 +2712,35 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1936,6 +2807,7 @@ http_port 3128 # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1944,10 +2816,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1975,7 +2848,8 @@ http_port 3128 # Similar to 'cache_peer_domain' but provides more flexibility by # using ACL elements. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access cache-host allow|deny [!]aclname ... # # The syntax is identical to 'http_access' and the other lists of # ACL elements. See the comments for 'http_access' below, or @@ -1984,21 +2858,20 @@ http_port 3128 # none # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2021,6 +2894,9 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: # forward_max_tries 10 @@ -2070,6 +2946,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2081,11 +2962,47 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +# +# Currently, entities exceeding 32KB in size cannot be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2101,7 +3018,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2120,7 +3037,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2129,10 +3046,33 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2147,12 +3087,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2167,23 +3113,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2201,7 +3151,49 @@ http_port 3128 # higher hit ratio at the expense of an increase in response # time. # -# The coss store type: +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes <max-size=bytes> [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots, +# one entry per slot. The database size is specified in MB. The +# slot size is specified in bytes using the max-size option. See +# below for more info on the max-size option. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# +# ==== The coss store type ==== # # NP: COSS filesystem in Squid-3 has been deemed too unstable for # production use and has thus been removed from this release. @@ -2219,26 +3211,80 @@ http_port 3128 # called 'stripe' in the directory names in the config - and # this will be created by squid -z. # -# Common options: # -# no-store, no new objects should be stored to this cache_dir +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. COSS). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. # Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# the cache_dir lines with the smallest max-size value first. # # Note for coss, max-size must be less than COSS_MEMBUF_SZ, # which can be changed with the --with-coss-membuf-size=N configure # option. # +#Default: +# No disk cache. Store cache ojects only in memory. +# # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/log/squid/cache 100 16 256 +#cache_dir ufs /var/log/squid/cache/squid 100 16 256 # TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. +# +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. +# +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. +# +# +# round-robin +# +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. +# +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. +# +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. +# +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. +# #Default: # store_dir_select_algorithm least-load @@ -2249,36 +3295,26 @@ http_port 3128 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) -# -# The low- and high-water marks for cache object replacement. +# The high-water mark for cache object replacement. # Replacement begins when the swap (disk) usage is above the # low-water mark and attempts to maintain utilization near the # low-water mark. As swap utilization gets close to high-water @@ -2288,6 +3324,8 @@ http_port 3128 # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low #Default: # cache_swap_high 95 @@ -2317,21 +3355,62 @@ http_port 3128 # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# <A Server IP address or peer name -# la Local IP address (http_port) -# lp Local port number (http_port) +# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# <a Server IP address of the last server or peer connection +# <A Server FQDN or peer name +# <p Server port number of the last server or peer connection # <la Local IP address of the last server or peer connection # <lp Local port number of the last server or peer connection +# <qos Server connection TOS/DSCP value set by Squid +# <nfmark Server connection netfilter mark set by Squid +# +# Time related format codes: +# # ts Seconds since epoch # tu subsecond time (milliseconds) # tl Local time. Optional strftime format argument @@ -2341,30 +3420,50 @@ http_port 3128 # tr Response time (milliseconds) # dt Total time spent making DNS lookups (milliseconds) # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# us User name from SSL +# +# HTTP related format codes: +# +# [http::]>h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h # [http::]<h Reply header. Optional header name argument # as for >h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper # [http::]>Hs HTTP status code sent to the client # [http::]<Hs HTTP status code received from the next hop -# [http::]Ss Squid request status (TCP_MISS etc) -# [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc) +# [http::]<bs Number of HTTP-equivalent message body bytes +# received from the next hop, excluding chunked +# transfer encoding and control messages. +# Generated FTP/Gopher listings are treated as +# received bodies. # [http::]mt MIME content type # [http::]rm Request method (GET/POST etc) -# [http::]ru Request URL +# [http::]>rm Request method from client +# [http::]<rm Request method sent to server or peer +# [http::]ru Request URL from client (historic, filtered for logging) +# [http::]>ru Request URL from client +# [http::]<ru Request URL sent to server or peer # [http::]rp Request URL-Path excluding hostname +# [http::]>rp Request URL-Path excluding hostname from client +# [http::]<rp Request URL-Path excluding hostname sento to server or peer # [http::]rv Request protocol version -# [http::]et Tag returned by external acl -# [http::]ea Log string returned by external acl +# [http::]>rv Request protocol version from client +# [http::]<rv Request protocol version sent to server or peer # [http::]<st Sent reply size including HTTP headers # [http::]>st Received request size including HTTP headers. In the # case of chunked requests the chunked encoding metadata @@ -2382,7 +3481,30 @@ http_port 3128 # sent to the first selected peer. The timer stops # with the last I/O with the last peer. # -# If ICAP is enabled, the following two codes become available (as +# Squid handling related format codes: +# +# Ss Squid request status (TCP_MISS etc) +# Sh Squid hierarchy status (DEFAULT_PARENT etc) +# +# SSL-related format codes: +# +# ssl::bump_mode SslBump decision for the transaction: +# +# For CONNECT requests that initiated bumping of +# a connection and for any request received on +# an already bumped connection, Squid logs the +# corresponding SslBump mode ("server-first" or +# "client-first"). See the ssl_bump option for +# more information about these modes. +# +# A "none" token is logged for requests that +# triggered "ssl_bump" ACL evaluation matching +# either a "none" rule or no rules at all. +# +# In all other cases, a single dash ("-") is +# logged. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2390,14 +3512,13 @@ http_port 3128 # ACLs are checked and when ICAP # transaction is in progress. # -# icap::<last_h The header of the last ICAP response -# related to the HTTP transaction. Like -# <h, accepts an optional header name -# argument. Will not change semantics -# when multiple ICAP transactions per HTTP -# transaction are supported. +# If adaptation is enabled the following three codes become available: # -# If adaptation is enabled the following two codes become available: +# adapt::<last_h The header of the last ICAP response or +# meta-information from the last eCAP +# transaction related to the HTTP transaction. +# Like <h, accepts an optional header name +# argument. # # adapt::sum_trs Summed adaptation transaction response # times recorded as a comma-separated list in @@ -2421,47 +3542,122 @@ http_port 3128 # service name in curly braces to record response time(s) specific # to that service. For example: %{my_service}adapt::sum_trs # +# If SSL is enabled, the following formating codes become available: +# +# %ssl::>cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt -#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h] -#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh -#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt +#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh +#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log <filepath> [<logformat name> [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log <module>:<place> [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log <module>:<place> [<logformat name> [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # ICAP log files record ICAP transaction summaries, one line per # transaction. @@ -2506,6 +3702,13 @@ http_port 3128 # payload only; i.e., what Squid reads from # the socket). # +# icap::<bs Number of message body bytes received from the +# ICAP server. ICAP message body, if any, usually +# includes encapsulated HTTP message headers and +# possibly encapsulated HTTP message body. The +# HTTP body part is dechunked before its size is +# computed. +# # icap::tr Transaction response time (in # milliseconds). The timer starts when # the ICAP transaction is created and @@ -2536,38 +3739,59 @@ http_port 3128 # #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A - # -# See also: logformat, log_icap, and %icap::<last_h +# See also: logformat, log_icap, and %adapt::<last_h #Default: # none -# TAG: log_access allow|deny acl acl... -# This options allows you to control which requests gets logged -# to access.log (see access_log directive). Requests denied for -# logging will also not be accounted for in performance counters. +# TAG: logfile_daemon +# Specify the path to the logfile-writing daemon. This daemon is +# used to write the access and store logs, if configured. # -# This clause only supports fast acl types. -# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Squid sends a number of commands to the log daemon: +# L<data>\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r<n>\n - set rotate count to <n> +# b<n>\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. +#Default: +# logfile_daemon /usr/libexec/log_file_daemon + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging #Default: # none # TAG: log_icap -# Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option -# -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# Remove this line. Use acls with icap_log directives to control icap logging #Default: # none +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow logging for all transactions. + # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2600,7 +3824,7 @@ http_port 3128 # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2617,31 +3841,26 @@ http_port 3128 # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # <pid>'. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. #Default: # logfile_rotate 10 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. #Default: -# emulate_httpd_log off +# none -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use %<A in the log format. #Default: -# log_ip_on_direct on +# none # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /etc/squid/mime.conf @@ -2655,24 +3874,12 @@ http_port 3128 # log_mime_hdrs off # TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. +# Replace this with an access_log directive using the format 'useragent'. #Default: # none # TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. +# Replace this with an access_log directive using the format 'referrer'. #Default: # none @@ -2681,14 +3888,10 @@ http_port 3128 #Default: # pid_filename /var/run/squid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. #Default: -# log_fqdn off +# none # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. @@ -2696,49 +3899,58 @@ http_port 3128 # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr +# Log full client IP address # TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. +# Use a regular access.log with ACL limiting it to MISS events. #Default: # none # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp +# +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2749,14 +3961,14 @@ http_port 3128 # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2765,35 +3977,28 @@ http_port 3128 # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir -coredump_dir /var/log/squid/cache +coredump_dir /var/log/squid/cache/squid # OPTIONS FOR FTP GATEWAYING # ----------------------------------------------------------------------------- # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2897,7 +4102,7 @@ coredump_dir /var/log/squid/cache # TAG: pinger_program # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp # # Specify the location of the executable for the pinger process. #Default: @@ -2905,13 +4110,13 @@ coredump_dir /var/log/squid/cache # TAG: pinger_enable # Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# --enable-icmp # # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2922,68 +4127,132 @@ coredump_dir /var/log/squid/cache # # For each requested URL, the rewriter will receive on line with the format # -# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL> +# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL> # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID <SP>] result [<SP> kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. +# +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. +# +# ERR +# Do not change the URL. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In the future, the interface protocol will be extended with +# key=value pairs ("kv-pairs" shown above). Helper programs # should be prepared to receive and possibly ignore additional # whitespace-separated tokens on each input line. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2994,6 +4263,114 @@ coredump_dir /var/log/squid/cache #Default: # url_rewrite_bypass off +# OPTIONS FOR STORE ID +# ----------------------------------------------------------------------------- + +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. +# +# For each requested URL, the helper will receive one line with the format +# +# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL> +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID <SP>] result [<SP> kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# +# Helper programs should be prepared to receive and possibly ignore additional +# kv-pairs with keys they do not support. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- @@ -3005,12 +4382,17 @@ coredump_dir /var/log/squid/cache # You must use the words 'allow' or 'deny' to indicate whether items # matching the ACL should be allowed or denied into the cache. # -# Default is to allow all to be cached. -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow caching, unless rules exist in squid.conf. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3035,12 +4417,13 @@ coredump_dir /var/log/squid/cache # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3056,22 +4439,18 @@ coredump_dir /var/log/squid/cache # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3098,6 +4477,16 @@ coredump_dir /var/log/squid/cache # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # # FRESH if expires < now, else STALE @@ -3116,7 +4505,9 @@ coredump_dir /var/log/squid/cache # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3139,7 +4530,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3197,44 +4588,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3273,8 +4688,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3327,18 +4745,18 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-follow-x-forwarded-for and --enable-icap-client option +# --enable-follow-x-forwarded-for and (--enable-icap-client and/or --enable-ecap) # # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3400,64 +4818,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3470,25 +4886,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3496,9 +4900,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3506,29 +4908,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3536,8 +4931,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3559,6 +4953,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3574,16 +5019,6 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off - # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3617,17 +5052,28 @@ refresh_pattern . 0 20% 4320 #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. #Default: -# persistent_request_timeout 2 minutes +# client_idle_pconn_timeout 2 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3663,11 +5109,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3692,15 +5138,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3739,7 +5185,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3753,14 +5199,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# none +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3799,33 +5245,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,28 +5278,24 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: httpd_accel_surrogate_id -# Note: This option is only available if Squid is rebuilt with the -# --enable-esi option -# # Surrogates (http://www.esi.org/architecture_spec_1.0.html) # need an identification token to allow control targeting. Because # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-esi option +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". # -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off # TAG: esi_parser libxml2|expat|custom # Note: This option is only available if Squid is rebuilt with the -# --enable-esi option +# --enable-esi # # ESI markup is not strictly XML compatible. The custom ESI parser # will give higher performance, but cannot handle non ASCII character @@ -3867,17 +5308,20 @@ refresh_pattern . 0 20% 4320 # TAG: delay_pools # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 # TAG: delay_class # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This defines the class of each delay pool. There must be exactly one # delay_class line for each delay pool. For example, to define two @@ -3927,12 +5371,17 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none # TAG: delay_access # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This is used to determine which delay pool a request falls into. # @@ -3944,18 +5393,20 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # This defines the parameters for a delay pool. Each delay pool has # a number of "buckets" associated with it, as explained in the @@ -4040,12 +5491,16 @@ refresh_pattern . 0 20% 4320 # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none # TAG: delay_initial_bucket_level (percent, 0-100) # Note: This option is only available if Squid is rebuilt with the -# --enable-delay-pools option +# --enable-delay-pools # # The initial bucket percentage is used to determine how much is put # in each bucket when squid starts, is reconfigured, or first notices @@ -4055,6 +5510,106 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# Note: This option is only available if Squid is rebuilt with the +# --enable-delay-pools +# +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4069,7 +5624,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4082,7 +5637,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4139,7 +5694,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4167,7 +5722,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4204,8 +5759,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4213,7 +5772,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4221,14 +5780,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4256,7 +5817,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_generation # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This controls whether the server will generate a Cache Digest # of its contents. By default, Cache Digest generation is @@ -4266,7 +5827,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_bits_per_entry # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the number of bits of the server's Cache Digest which # will be associated with the Digest entry for a given HTTP @@ -4276,7 +5837,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_rebuild_period (seconds) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the wait time between Cache Digest rebuilds. #Default: @@ -4284,7 +5845,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_rewrite_period (seconds) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the wait time between Cache Digest writes to # disk. @@ -4293,7 +5854,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_swapout_chunk_size (bytes) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the number of bytes of the Cache Digest to write to # disk at a time. It defaults to 4096 bytes (4KB), the Squid @@ -4303,7 +5864,7 @@ refresh_pattern . 0 20% 4320 # TAG: digest_rebuild_chunk_percentage (percent, 0-100) # Note: This option is only available if Squid is rebuilt with the -# --enable-cache-digests option +# --enable-cache-digests # # This is the percentage of the Cache Digest to be scanned at a # time. By default it is set to 10% of the Cache Digest. @@ -4322,7 +5883,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4334,26 +5895,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4361,9 +5925,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4371,22 +5935,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4412,7 +5975,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4433,7 +5996,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4452,21 +6015,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4509,7 +6084,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4575,7 +6150,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4665,7 +6240,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4679,7 +6254,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4734,17 +6309,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4756,15 +6361,16 @@ refresh_pattern . 0 20% 4320 # (matching hierarchy_stoplist or not cacheable request type) direct # to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4783,6 +6389,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4823,7 +6452,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4852,37 +6481,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4927,21 +6571,21 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- # TAG: icap_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # If you want to enable the ICAP module support, set this to on. #Default: @@ -4949,7 +6593,7 @@ refresh_pattern . 0 20% 4320 # TAG: icap_connect_timeout # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This parameter specifies how long to wait for the TCP connect to # the requested ICAP server to complete before giving up and either @@ -4963,37 +6607,51 @@ refresh_pattern . 0 20% 4320 # TAG: icap_io_timeout time-units # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This parameter specifies how long to wait for an I/O activity on # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 # TAG: icap_service_revival_delay # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The delay specifies the number of seconds to wait after an ICAP # OPTIONS request failure before requesting the options again. The @@ -5007,7 +6665,7 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The ICAP Preview feature allows the ICAP server to handle the # HTTP message by looking only at the beginning of the message body @@ -5027,17 +6685,36 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# Note: This option is only available if Squid is rebuilt with the +# --enable-icap-client +# +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # The default TTL value for ICAP OPTIONS responses that don't have # an Options-TTL header. @@ -5046,16 +6723,16 @@ refresh_pattern . 0 20% 4320 # TAG: icap_persistent_connections on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Whether or not Squid should use persistent connections to # an ICAP server. #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-ecap or --enable-icap-client # # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. @@ -5063,30 +6740,32 @@ refresh_pattern . 0 20% 4320 # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-ecap or --enable-icap-client # # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username # TAG: icap_client_username_encode on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Whether to base64 encode the authenticated client username. #Default: @@ -5094,21 +6773,23 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5117,6 +6798,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5138,11 +6821,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5152,18 +6836,38 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none # TAG: icap_class # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This deprecated option was documented to define an ICAP service # chain, even though it actually defined a set of similar, redundant @@ -5177,7 +6881,7 @@ refresh_pattern . 0 20% 4320 # TAG: icap_access # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This option is deprecated. Please use adaptation_access, which # has the same ICAP functionality, but comes with better @@ -5190,7 +6894,7 @@ refresh_pattern . 0 20% 4320 # TAG: ecap_enable on|off # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option +# --enable-ecap # # Controls whether eCAP support is enabled. #Default: @@ -5198,29 +6902,62 @@ refresh_pattern . 0 20% 4320 # TAG: ecap_service # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option +# --enable-ecap # # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] +# +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5237,7 +6974,7 @@ refresh_pattern . 0 20% 4320 # TAG: adaptation_service_set # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # # Configures an ordered set of similar, redundant services. This is @@ -5279,7 +7016,7 @@ refresh_pattern . 0 20% 4320 # TAG: adaptation_service_chain # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # # Configures a list of complementary services that will be applied @@ -5317,7 +7054,7 @@ refresh_pattern . 0 20% 4320 # TAG: adaptation_access # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # Sends an HTTP transaction to an ICAP or eCAP adaptation service. # @@ -5351,11 +7088,11 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # Limits the number of iterations allowed when applying adaptation # services to a message. If your longest adaptation set or chain @@ -5372,7 +7109,7 @@ refresh_pattern . 0 20% 4320 # TAG: adaptation_masterx_shared_names # Note: This option is only available if Squid is rebuilt with the -# --enable-ecap or --enable-icap-client option +# --enable-ecap or --enable-icap-client # # For each master transaction (i.e., the HTTP request and response # sequence, including all related ICAP and eCAP exchanges), Squid @@ -5385,8 +7122,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5397,9 +7140,49 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client +# +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5417,10 +7200,9 @@ refresh_pattern . 0 20% 4320 # TAG: icap_retry_limit # Note: This option is only available if Squid is rebuilt with the -# --enable-icap-client option +# --enable-icap-client # -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5428,7 +7210,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5450,7 +7232,7 @@ refresh_pattern . 0 20% 4320 # TAG: cache_dns_program # Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option +# --disable-internal-dns # # Specify the location of the executable for dnslookup process. #Default: @@ -5458,21 +7240,38 @@ refresh_pattern . 0 20% 4320 # TAG: dns_children # Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. +# --disable-internal-dns # -# You must have at least one dnsserver process. +# The maximum number of processes spawn to service DNS name lookups. +# If you limit it too few Squid will have to wait for them to process +# a backlog of requests, slowing it down. If you allow too many they +# will use RAM and other system resources noticably. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. #Default: -# dns_children 5 +# dns_children 32 startup=1 idle=1 # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5481,7 +7280,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5489,12 +7312,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5502,7 +7334,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5541,7 +7373,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5552,23 +7384,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5585,6 +7400,7 @@ refresh_pattern . 0 20% 4320 # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5605,6 +7421,31 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# Previous Squid versions have defined "quoted/string" as syntax for +# ACL to signifiy the value is an included file containing values and +# has treated the " characters in other places of the configuration file +# as part of the parameter value it was used for. +# +# For compatibility with existing installations that behaviour +# remains the default. +# +# If this directive is set to 'on', Squid will start parsing each +# "quoted string" as a single configuration directive parameter. The +# quotes are stripped before the parameter value is interpreted or use. +# +# That will continue for all lines until this directive is set to 'off', +# where Squid will return to the default configuration parsing. +# +# For example; +# +# configuration_includes_quoted_values on +# acl group external groupCheck Administrators "Internet Users" Guest +# configuration_includes_quoted_values off +# +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5655,7 +7496,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5718,7 +7559,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5749,19 +7590,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5794,20 +7638,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5834,23 +7690,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5858,14 +7719,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# # If the memory usage (as determined by mallinfo) exceeds # this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5882,6 +7746,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5891,13 +7758,49 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). +#Default: +# Use operating system limits set by ulimit. + +# TAG: workers +# Number of main Squid processes or "workers" to fork and maintain. +# 0: "no daemon" mode, like running "squid -N ..." +# 1: "no SMP" mode, start one main Squid process daemon (default) +# N: start N main Squid process daemons (i.e., SMP mode) +# +# In SMP mode, each worker does nearly all what a single Squid daemon +# does (e.g., listen on http_port and forward HTTP requests). +#Default: +# SMP support disabled. + +# TAG: cpu_affinity_map +# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... +# +# Sets 1:1 mapping between Squid processes and CPU cores. For example, +# +# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7 +# +# affects processes 1 through 4 only and places them on the first +# four even cores, starting with core #1. +# +# CPU cores are numbered starting from 1. Requires support for +# sched_getaffinity(2) and sched_setaffinity(2) system calls. +# +# Multiple cpu_affinity_map options are merged. +# +# See also: workers #Default: -# max_filedescriptors 0 +# Let operating system decide. diff --git a/network/squid/squid.info b/network/squid/squid.info index 89b5980335327..aa70ddd77e3cf 100644 --- a/network/squid/squid.info +++ b/network/squid/squid.info @@ -1,8 +1,8 @@ PRGNAM="squid" -VERSION="3.1.23" +VERSION="3.4.10" HOMEPAGE="http://www.squid-cache.org/" -DOWNLOAD="http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.23.tar.bz2" -MD5SUM="e15fdb8c615cf1f9525be0a2b75c60a7" +DOWNLOAD="http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.10.tar.bz2" +MD5SUM="326283b0c37e7dc9b2f90dc0ecd9a8a4" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" |