aboutsummaryrefslogtreecommitdiff
path: root/network/squid/squid.conf.documented
diff options
context:
space:
mode:
Diffstat (limited to 'network/squid/squid.conf.documented')
-rw-r--r--network/squid/squid.conf.documented339
1 files changed, 244 insertions, 95 deletions
diff --git a/network/squid/squid.conf.documented b/network/squid/squid.conf.documented
index 4dc84c53cc93e..3efcd48cda43f 100644
--- a/network/squid/squid.conf.documented
+++ b/network/squid/squid.conf.documented
@@ -1,21 +1,27 @@
-# WELCOME TO SQUID 3.1.12
+# WELCOME TO SQUID 3.1.20
# ----------------------------
-#
-# This is the default Squid configuration file. You may wish
-# to look at the Squid home page (http://www.squid-cache.org/)
-# for the FAQ and other documentation.
-#
-# The default Squid config file shows what the defaults for
-# various options happen to be. If you don't need to change the
-# default, you shouldn't uncomment the line. Doing so may cause
-# run-time problems. In some cases "none" refers to no default
-# setting at all, while in other cases it refers to a valid
-# option - the comments for that keyword indicate if this is the
-# case.
+#
+# This is the documentation for the Squid configuration file.
+# This documentation can also be found online at:
+# http://www.squid-cache.org/Doc/config/
+#
+# You may wish to look at the Squid home page and wiki for the
+# FAQ and other documentation:
+# http://www.squid-cache.org/
+# http://wiki.squid-cache.org/SquidFaq
+# http://wiki.squid-cache.org/ConfigExamples
+#
+# This documentation shows what the defaults for various directives
+# happen to be. If you don't need to change the default, you should
+# leave the line out of your squid.conf in most cases.
+#
+# In some cases "none" refers to no default setting at all,
+# while in other cases it refers to the value of the option
+# - the comments for that keyword indicate if this is the case.
#
# Configuration options can be included using the "include" directive.
-# Include takes a list of files to include. Quoting and wildcards is
+# Include takes a list of files to include. Quoting and wildcards are
# supported.
#
# For example,
@@ -38,6 +44,9 @@
# none
# TAG: incoming_rate
+#Default:
+# none
+
# TAG: server_http11
# Remove this line. HTTP/1.1 is supported by default.
#Default:
@@ -384,9 +393,8 @@
# cached entry should be initiated without needing to
# wait for a new reply. (default 0 for no grace period)
# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
-# ipv4 / ipv6 IP-mode used to communicate to this helper.
-# For compatability with older configurations and helpers
-# the default is currently 'ipv4'.
+# ipv4 / ipv6 IP protocol used to communicate with this helper.
+# The default is to auto-detect IPv6 and use it when available.
#
# FORMAT specifications
#
@@ -425,6 +433,9 @@
# list separator. ; can be any non-alphanumeric
# character.
#
+# %% The percent sign. Useful for helpers which need
+# an unchanging input format.
+#
# In addition to the above, any string specified in the referencing
# acl will also be included in the helper request line, after the
# specified formats (see the "acl external" directive)
@@ -474,8 +485,9 @@
#
# When using "file", the file should contain one item per line.
#
-# By default, regular expressions are CASE-SENSITIVE. To make
-# them case-insensitive, use the -i option.
+# By default, regular expressions are CASE-SENSITIVE.
+# To make them case-insensitive, use the -i option. To return case-sensitive
+# use the +i option between patterns, or make a new ACL line without -i.
#
# Some acl types require suspending the current request in order
# to access some external data source.
@@ -918,18 +930,23 @@ http_access deny all
# htcp_clr_access deny all
# TAG: miss_access
-# Use to force your neighbors to use you as a sibling instead of
-# a parent. For example:
+# Determins whether network access is permitted when satisfying a request.
+#
+# For example;
+# to force your neighbors to use you as a sibling instead of
+# a parent.
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
-# This means only your local clients are allowed to fetch
-# MISSES and all other clients can only fetch HITS.
+# This means only your local clients are allowed to fetch relayed/MISS
+# replies from the network and all other clients can only fetch cached
+# objects (HITs).
+#
#
-# By default, allow all clients who passed the http_access rules
-# to fetch MISSES from us.
+# The default for this setting allows all clients who passed the
+# http_access rules to relay via this proxy.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -1046,14 +1063,16 @@ http_access deny all
# accelerators should consider the default.
# Implies accel.
#
-# vhost Accelerator mode using Host header for virtual
-# domain support. Implies accel.
+# vhost Accelerator mode using Host header for virtual domain support.
+# Also uses the port as specified in Host: header unless
+# overridden by the vport option. Implies accel.
#
-# vport Accelerator with IP based virtual host support.
-# Implies accel.
+# vport Virtual host port support. Using the http_port number
+# instead of the port passed on Host: headers. Implies accel.
#
-# vport=NN As above, but uses specified port number rather
-# than the http_port number. Implies accel.
+# vport=NN Virtual host port support. Using the specified port
+# number instead of the port passed on Host: headers.
+# Implies accel.
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to http.
@@ -1165,6 +1184,10 @@ http_port 3128
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers.
+# NOTE: some ciphers such as EDH ciphers depend on
+# additional settings. If those settings are
+# omitted the ciphers may be silently ignored
+# by the OpenSSL library.
#
# options= Various SSL engine options. The most important
# being:
@@ -1173,8 +1196,8 @@ http_port 3128
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
-# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
-# documentation for a complete list of options.
+# See OpenSSL SSL_CTX_set_options documentation for a
+# complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate.
@@ -1191,7 +1214,10 @@ http_port 3128
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
-# DH key exchanges.
+# DH key exchanges. See OpenSSL documentation for details
+# on how to create this file.
+# WARNING: EDH ciphers will be silently disabled if this
+# option is not set.
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
@@ -1213,6 +1239,25 @@ http_port 3128
#
# sslcontext= SSL session ID context identifier.
#
+# generate-host-certificates[=<on|off>]
+# Dynamically create SSL server certificates for the
+# destination hosts of bumped CONNECT requests.When
+# enabled, the cert and key options are used to sign
+# generated certificates. Otherwise generated
+# certificate will be selfsigned.
+# If there is CA certificate life time of generated
+# certificate equals lifetime of CA certificate. If
+# generated certificate is selfsigned lifetime is three
+# years.
+# This option is enabled by default when SslBump is used.
+# See the sslBump option above for more information.
+#
+# dynamic_cert_mem_cache_size=SIZE
+# Approximate total RAM size spent on cached generated
+# certificates. If set to zero, caching is disabled. The
+# default value is 4MB. An average XXX-bit certificate
+# consumes about XXX bytes of RAM.
+#
# vport Accelerator with IP based virtual host support.
#
# vport=NN As above, but uses specified port number rather
@@ -1482,9 +1527,9 @@ http_port 3128
#
# By default, no requests are bumped.
#
-# See also: http_port sslBump
+# See also: http_port ssl-bump
#
-# This clause only supports fast acl types.
+# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#
@@ -1556,6 +1601,31 @@ http_port 3128
#Default:
# none
+#OPTIONS RELATING TO EXTERNAL SSL_CRTD
+#-----------------------------------------------------------------------------
+
+# TAG: sslcrtd_program
+# Note: This option is only available if Squid is rebuilt with the
+# -DUSE_SSL_CRTD define
+#
+# Specify the location and options of the executable for ssl_crtd process.
+# /usr/libexec/ssl_crtd program requires -s and -M parameters
+# For more information use:
+# /usr/libexec/ssl_crtd -h
+#Default:
+# sslcrtd_program /usr/libexec/ssl_crtd -s /var/log/squid/lib/ssl_db -M 4MB
+
+# TAG: sslcrtd_children
+# Note: This option is only available if Squid is rebuilt with the
+# -DUSE_SSL_CRTD define
+#
+# The maximum number of processes spawn to service ssl server.
+# The maximum this may be safely set to is 32.
+#
+# You must have at least one ssl_crtd process.
+#Default:
+# sslcrtd_children 5
+
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
@@ -1572,7 +1642,7 @@ http_port 3128
# cache_peer parent.foo.net parent 3128 3130 default
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
-# cache_peer example.com parent 80 0 no-query default
+# cache_peer example.com parent 80 0 default
# cache_peer cdn.example.com sibling 3128 0
#
# type: either 'parent', 'sibling', or 'multicast'.
@@ -1667,7 +1737,7 @@ http_port 3128
# multicast-siblings
# To be used only for cache peers of type "multicast".
# ALL members of this multicast group have "sibling"
-# relationship with it, not "parent". This is to a mulicast
+# relationship with it, not "parent". This is to a multicast
# group when the requested object would be fetched only from
# a "parent" cache, anyway. It's useful, e.g., when
# configuring a pool of redundant Squid proxies, being
@@ -1959,11 +2029,13 @@ http_port 3128
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
-# Note: never_direct overrides this option.
#
-
-# We recommend you to use at least the following line.
-hierarchy_stoplist cgi-bin ?
+# Example:
+# hierarchy_stoplist cgi-bin ?
+#
+# Note: never_direct overrides this option.
+#Default:
+# none
# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
@@ -2201,6 +2273,9 @@ hierarchy_stoplist cgi-bin ?
# maximum_object_size 4096 KB
# TAG: cache_swap_low (percent, 0-100)
+#Default:
+# cache_swap_low 90
+
# TAG: cache_swap_high (percent, 0-100)
#
# The low- and high-water marks for cache object replacement.
@@ -2214,7 +2289,6 @@ hierarchy_stoplist cgi-bin ?
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#Default:
-# cache_swap_low 90
# cache_swap_high 95
# LOGFILE OPTIONS
@@ -2256,6 +2330,8 @@ hierarchy_stoplist cgi-bin ?
# <A Server IP address or peer name
# la Local IP address (http_port)
# lp Local port number (http_port)
+# <la Local IP address of the last server or peer connection
+# <lp Local port number of the last server or peer connection
# ts Seconds since epoch
# tu subsecond time (milliseconds)
# tl Local time. Optional strftime format argument
@@ -2363,6 +2439,7 @@ hierarchy_stoplist cgi-bin ?
# Will log to the specified file using the specified format (which
# must be defined in a logformat directive) those entries which match
# ALL the acl's specified (which must be defined in acl clauses).
+#
# If no acl is specified, all requests will be logged to this file.
#
# To disable logging of a request use the filepath "none", in which case
@@ -2840,10 +2917,10 @@ coredump_dir /var/log/squid/cache
# -----------------------------------------------------------------------------
# TAG: url_rewrite_program
-# Specify the location of the executable for the URL rewriter.
+# Specify the location of the executable URL rewriter to use.
# Since they can perform almost any function there isn't one included.
#
-# For each requested URL rewriter will receive on line with the format
+# For each requested URL, the rewriter will receive on line with the format
#
# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
#
@@ -2857,7 +2934,7 @@ coredump_dir /var/log/squid/cache
#
# The rewriter can also indicate that a client-side redirect should
# be performed to the new URL. This is done by prefixing the returned
-# URL with "301:" (moved permanently) or 302: (moved temporarily).
+# URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
#
# By default, a URL rewriter is not used.
#Default:
@@ -3046,7 +3123,13 @@ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# TAG: quick_abort_min (KB)
+#Default:
+# quick_abort_min 16 KB
+
# TAG: quick_abort_max (KB)
+#Default:
+# quick_abort_max 16 KB
+
# TAG: quick_abort_pct (percent)
# The cache by default continues downloading aborted requests
# which are almost completed (less than 16 KB remaining). This
@@ -3075,8 +3158,6 @@ refresh_pattern . 0 20% 4320
# If you want retrievals to always continue if they are being
# cached set 'quick_abort_min' to '-1 KB'.
#Default:
-# quick_abort_min 16 KB
-# quick_abort_max 16 KB
# quick_abort_pct 95
# TAG: read_ahead_gap buffer-size
@@ -3252,10 +3333,10 @@ refresh_pattern . 0 20% 4320
# Note: This option is only available if Squid is rebuilt with the
# --enable-follow-x-forwarded-for and --enable-icap-client option
#
-# Controls whether the indirect client address
-# (see follow_x_forwarded_for) instead of the
-# direct client address is passed to an ICAP
-# server as "X-Client-IP".
+# Controls whether the indirect client IP address (instead of the direct
+# client IP address) is passed to adaptation services.
+#
+# See also: follow_x_forwarded_for adaptation_send_client_ip
#Default:
# icap_uses_indirect_client on
@@ -3537,7 +3618,7 @@ refresh_pattern . 0 20% 4320
# read_timeout 15 minutes
# TAG: request_timeout
-# How long to wait for an HTTP request after initial
+# How long to wait for complete HTTP request headers after initial
# connection establishment.
#Default:
# request_timeout 5 minutes
@@ -3730,7 +3811,13 @@ refresh_pattern . 0 20% 4320
# announce_period 0
# TAG: announce_host
+#Default:
+# announce_host tracker.ircache.net
+
# TAG: announce_file
+#Default:
+# none
+
# TAG: announce_port
# announce_host and announce_port set the hostname and port
# number where the registration message will be sent.
@@ -3740,7 +3827,6 @@ refresh_pattern . 0 20% 4320
# the contents of that file will be included in the announce
# message.
#Default:
-# announce_host tracker.ircache.net
# announce_port 3131
# HTTPD-ACCELERATOR OPTIONS
@@ -3829,6 +3915,11 @@ refresh_pattern . 0 20% 4320
# class 5 Requests are grouped according their tag (see
# external_acl's tag= reply).
#
+#
+# Each pool also requires a delay_parameters directive to configure the pool size
+# and speed limits used whenever the pool is applied to a request. Along with
+# a set of delay_access directives to determine when it is used.
+#
# NOTE: If an IP address is a.b.c.d
# -> bits 25 through 32 are "d"
# -> bits 17 through 24 are "c"
@@ -3868,45 +3959,47 @@ refresh_pattern . 0 20% 4320
#
# This defines the parameters for a delay pool. Each delay pool has
# a number of "buckets" associated with it, as explained in the
-# description of delay_class. For a class 1 delay pool, the syntax is:
+# description of delay_class.
#
-#delay_parameters pool aggregate
+# For a class 1 delay pool, the syntax is:
+# delay_pools pool 1
+# delay_parameters pool aggregate
#
# For a class 2 delay pool:
-#
-#delay_parameters pool aggregate individual
+# delay_pools pool 2
+# delay_parameters pool aggregate individual
#
# For a class 3 delay pool:
-#
-#delay_parameters pool aggregate network individual
+# delay_pools pool 3
+# delay_parameters pool aggregate network individual
#
# For a class 4 delay pool:
-#
-#delay_parameters pool aggregate network individual user
+# delay_pools pool 4
+# delay_parameters pool aggregate network individual user
#
# For a class 5 delay pool:
+# delay_pools pool 5
+# delay_parameters pool tagrate
#
-#delay_parameters pool tag
-#
-# The variables here are:
+# The option variables are:
#
# pool a pool number - ie, a number between 1 and the
# number specified in delay_pools as used in
# delay_class lines.
#
-# aggregate the "delay parameters" for the aggregate bucket
+# aggregate the speed limit parameters for the aggregate bucket
# (class 1, 2, 3).
#
-# individual the "delay parameters" for the individual
+# individual the speed limit parameters for the individual
# buckets (class 2, 3).
#
-# network the "delay parameters" for the network buckets
+# network the speed limit parameters for the network buckets
# (class 3).
#
-# user the delay parameters for the user buckets
+# user the speed limit parameters for the user buckets
# (class 4).
#
-# tag the delay parameters for the tag buckets
+# tagrate the speed limit parameters for the tag buckets
# (class 5).
#
# A pair of delay parameters is written restore/maximum, where restore is
@@ -3914,30 +4007,39 @@ refresh_pattern . 0 20% 4320
# quoted in bits) per second placed into the bucket, and maximum is the
# maximum number of bytes which can be in the bucket at any time.
#
+# There must be one delay_parameters line for each delay pool.
+#
+#
# For example, if delay pool number 1 is a class 2 delay pool as in the
-# above example, and is being used to strictly limit each host to 64kbps
+# above example, and is being used to strictly limit each host to 64Kbit/sec
# (plus overheads), with no overall limit, the line is:
#
-#delay_parameters 1 -1/-1 8000/8000
+# delay_parameters 1 -1/-1 8000/8000
+#
+# Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
#
# Note that the figure -1 is used to represent "unlimited".
#
+#
# And, if delay pool number 2 is a class 3 delay pool as in the above
-# example, and you want to limit it to a total of 256kbps (strict limit)
-# with each 8-bit network permitted 64kbps (strict limit) and each
-# individual host permitted 4800bps with a bucket maximum size of 64kb
+# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
+# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
+# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
# to permit a decent web page to be downloaded at a decent speed
# (if the network is not being limited due to overuse) but slow down
# large downloads more significantly:
#
-#delay_parameters 2 32000/32000 8000/8000 600/8000
+# delay_parameters 2 32000/32000 8000/8000 600/8000
+#
+# Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
+# 8 x 8000 KByte/sec -> 64Kbit/sec.
+# 8 x 600 Byte/sec -> 4800bit/sec.
#
-# There must be one delay_parameters line for each delay pool.
#
# Finally, for a class 4 delay pool as in the example - each user will
-# be limited to 128Kb no matter how many workstations they are logged into.:
+# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
#
-#delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
#Default:
# none
@@ -4102,13 +4204,15 @@ refresh_pattern . 0 20% 4320
# wccp2_weight 10000
# TAG: wccp_address
+#Default:
+# wccp_address 0.0.0.0
+
# TAG: wccp2_address
# Use this option if you require WCCP to use a specific
# interface address.
#
# The default behavior is to not bind to any specific address.
#Default:
-# wccp_address 0.0.0.0
# wccp2_address 0.0.0.0
# PERSISTENT CONNECTION HANDLING
@@ -4117,13 +4221,15 @@ refresh_pattern . 0 20% 4320
# Also see "pconn_timeout" in the TIMEOUTS section
# TAG: client_persistent_connections
+#Default:
+# client_persistent_connections on
+
# TAG: server_persistent_connections
# Persistent connection support for clients and servers. By
# default, Squid uses persistent connections (when allowed)
# with its clients and servers. You can use these options to
# disable persistent connections with clients and/or servers.
#Default:
-# client_persistent_connections on
# server_persistent_connections on
# TAG: persistent_connection_after_error
@@ -4235,6 +4341,9 @@ refresh_pattern . 0 20% 4320
# snmp_access deny all
# TAG: snmp_incoming_address
+#Default:
+# snmp_incoming_address any_addr
+
# TAG: snmp_outgoing_address
# Just like 'udp_incoming_address', but for the SNMP port.
#
@@ -4254,7 +4363,6 @@ refresh_pattern . 0 20% 4320
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
# the same value since they both use port 3401.
#Default:
-# snmp_incoming_address any_addr
# snmp_outgoing_address no_addr
# ICP OPTIONS
@@ -4351,13 +4459,15 @@ refresh_pattern . 0 20% 4320
# minimum_direct_rtt 400
# TAG: netdb_low
+#Default:
+# netdb_low 900
+
# TAG: netdb_high
# The low and high water marks for the ICMP measurement
# database. These are counts, not percents. The defaults are
# 900 and 1000. When the high water mark is reached, database
# entries will be deleted until the low mark is reached.
#Default:
-# netdb_low 900
# netdb_high 1000
# TAG: netdb_ping_period
@@ -4748,20 +4858,30 @@ refresh_pattern . 0 20% 4320
# -----------------------------------------------------------------------------
# TAG: incoming_icp_average
+#Default:
+# incoming_icp_average 6
+
# TAG: incoming_http_average
+#Default:
+# incoming_http_average 4
+
# TAG: incoming_dns_average
+#Default:
+# incoming_dns_average 4
+
# TAG: min_icp_poll_cnt
+#Default:
+# min_icp_poll_cnt 8
+
# TAG: min_dns_poll_cnt
+#Default:
+# min_dns_poll_cnt 8
+
# TAG: min_http_poll_cnt
# Heavy voodoo here. I can't even believe you are reading this.
# Are you crazy? Don't even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
-# incoming_icp_average 6
-# incoming_http_average 4
-# incoming_dns_average 4
-# min_icp_poll_cnt 8
-# min_dns_poll_cnt 8
# min_http_poll_cnt 8
# TAG: accept_filter
@@ -4937,7 +5057,11 @@ refresh_pattern . 0 20% 4320
# Note: This option is only available if Squid is rebuilt with the
# --enable-icap-client option
#
-# This adds the header "X-Client-IP" to ICAP requests.
+# If enabled, Squid shares HTTP client IP information with adaptation
+# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+# For eCAP, Squid sets the libecap::metaClientIp transaction option.
+#
+# See also: adaptation_uses_indirect_client
#Default:
# icap_send_client_ip off
@@ -5445,13 +5569,32 @@ refresh_pattern . 0 20% 4320
#Default:
# dns_v4_fallback on
+# TAG: dns_v4_first
+# With the IPv6 Internet being as fast or faster than IPv4 Internet
+# for most networks Squid prefers to contact websites over IPv6.
+#
+# This option reverses the order of preference to make Squid contact
+# dual-stack websites over IPv4 first. Squid will still perform both
+# IPv6 and IPv4 DNS lookups before connecting.
+#
+# WARNING:
+# This option will restrict the situations under which IPv6
+# connectivity is used (and tested). Hiding network problems
+# which would otherwise be detected and warned about.
+#Default:
+# dns_v4_first off
+
# TAG: ipcache_size (number of entries)
+#Default:
+# ipcache_size 1024
+
# TAG: ipcache_low (percent)
+#Default:
+# ipcache_low 90
+
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#Default:
-# ipcache_size 1024
-# ipcache_low 90
# ipcache_high 95
# TAG: fqdncache_size (number of entries)
@@ -5621,10 +5764,16 @@ refresh_pattern . 0 20% 4320
# maximum_single_addr_tries 1
# TAG: retry_on_error
-# If set to on Squid will automatically retry requests when
-# receiving an error response. This is mainly useful if you
-# are in a complex cache hierarchy to work around access
-# control errors.
+# If set to ON Squid will automatically retry requests when
+# receiving an error response with status 403 (Forbidden),
+# 500 (Internal Error), 501 or 503 (Service not available).
+# Status 502 and 504 (Gateway errors) are always retried.
+#
+# This is mainly useful if you are in a complex cache hierarchy to
+# work around access control errors.
+#
+# NOTE: This retry will attempt to find another working destination.
+# Which is different from the server which just failed.
#Default:
# retry_on_error off