diff options
Diffstat (limited to 'network/squid/squid.conf.documented')
-rw-r--r-- | network/squid/squid.conf.documented | 339 |
1 files changed, 244 insertions, 95 deletions
diff --git a/network/squid/squid.conf.documented b/network/squid/squid.conf.documented index 4dc84c53cc93e..3efcd48cda43f 100644 --- a/network/squid/squid.conf.documented +++ b/network/squid/squid.conf.documented @@ -1,21 +1,27 @@ -# WELCOME TO SQUID 3.1.12 +# WELCOME TO SQUID 3.1.20 # ---------------------------- -# -# This is the default Squid configuration file. You may wish -# to look at the Squid home page (http://www.squid-cache.org/) -# for the FAQ and other documentation. -# -# The default Squid config file shows what the defaults for -# various options happen to be. If you don't need to change the -# default, you shouldn't uncomment the line. Doing so may cause -# run-time problems. In some cases "none" refers to no default -# setting at all, while in other cases it refers to a valid -# option - the comments for that keyword indicate if this is the -# case. +# +# This is the documentation for the Squid configuration file. +# This documentation can also be found online at: +# http://www.squid-cache.org/Doc/config/ +# +# You may wish to look at the Squid home page and wiki for the +# FAQ and other documentation: +# http://www.squid-cache.org/ +# http://wiki.squid-cache.org/SquidFaq +# http://wiki.squid-cache.org/ConfigExamples +# +# This documentation shows what the defaults for various directives +# happen to be. If you don't need to change the default, you should +# leave the line out of your squid.conf in most cases. +# +# In some cases "none" refers to no default setting at all, +# while in other cases it refers to the value of the option +# - the comments for that keyword indicate if this is the case. # # Configuration options can be included using the "include" directive. -# Include takes a list of files to include. Quoting and wildcards is +# Include takes a list of files to include. Quoting and wildcards are # supported. # # For example, @@ -38,6 +44,9 @@ # none # TAG: incoming_rate +#Default: +# none + # TAG: server_http11 # Remove this line. HTTP/1.1 is supported by default. #Default: @@ -384,9 +393,8 @@ # cached entry should be initiated without needing to # wait for a new reply. (default 0 for no grace period) # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers -# ipv4 / ipv6 IP-mode used to communicate to this helper. -# For compatability with older configurations and helpers -# the default is currently 'ipv4'. +# ipv4 / ipv6 IP protocol used to communicate with this helper. +# The default is to auto-detect IPv6 and use it when available. # # FORMAT specifications # @@ -425,6 +433,9 @@ # list separator. ; can be any non-alphanumeric # character. # +# %% The percent sign. Useful for helpers which need +# an unchanging input format. +# # In addition to the above, any string specified in the referencing # acl will also be included in the helper request line, after the # specified formats (see the "acl external" directive) @@ -474,8 +485,9 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. To make -# them case-insensitive, use the -i option. +# By default, regular expressions are CASE-SENSITIVE. +# To make them case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line without -i. # # Some acl types require suspending the current request in order # to access some external data source. @@ -918,18 +930,23 @@ http_access deny all # htcp_clr_access deny all # TAG: miss_access -# Use to force your neighbors to use you as a sibling instead of -# a parent. For example: +# Determins whether network access is permitted when satisfying a request. +# +# For example; +# to force your neighbors to use you as a sibling instead of +# a parent. # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # -# This means only your local clients are allowed to fetch -# MISSES and all other clients can only fetch HITS. +# This means only your local clients are allowed to fetch relayed/MISS +# replies from the network and all other clients can only fetch cached +# objects (HITs). +# # -# By default, allow all clients who passed the http_access rules -# to fetch MISSES from us. +# The default for this setting allows all clients who passed the +# http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -1046,14 +1063,16 @@ http_access deny all # accelerators should consider the default. # Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Implies accel. +# vhost Accelerator mode using Host header for virtual domain support. +# Also uses the port as specified in Host: header unless +# overridden by the vport option. Implies accel. # -# vport Accelerator with IP based virtual host support. -# Implies accel. +# vport Virtual host port support. Using the http_port number +# instead of the port passed on Host: headers. Implies accel. # -# vport=NN As above, but uses specified port number rather -# than the http_port number. Implies accel. +# vport=NN Virtual host port support. Using the specified port +# number instead of the port passed on Host: headers. +# Implies accel. # # protocol= Protocol to reconstruct accelerated requests with. # Defaults to http. @@ -1165,6 +1184,10 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: @@ -1173,8 +1196,8 @@ http_port 3128 # NO_TLSv1 Disallow the use of TLSv1 # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See src/ssl_support.c or OpenSSL SSL_CTX_set_options -# documentation for a complete list of options. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1191,7 +1214,10 @@ http_port 3128 # the capath. Implies VERIFY_CRL flag below. # # dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. +# DH key exchanges. See OpenSSL documentation for details +# on how to create this file. +# WARNING: EDH ciphers will be silently disabled if this +# option is not set. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1213,6 +1239,25 @@ http_port 3128 # # sslcontext= SSL session ID context identifier. # +# generate-host-certificates[=<on|off>] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is CA certificate life time of generated +# certificate equals lifetime of CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is enabled by default when SslBump is used. +# See the sslBump option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. The +# default value is 4MB. An average XXX-bit certificate +# consumes about XXX bytes of RAM. +# # vport Accelerator with IP based virtual host support. # # vport=NN As above, but uses specified port number rather @@ -1482,9 +1527,9 @@ http_port 3128 # # By default, no requests are bumped. # -# See also: http_port sslBump +# See also: http_port ssl-bump # -# This clause only supports fast acl types. +# This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # @@ -1556,6 +1601,31 @@ http_port 3128 #Default: # none +#OPTIONS RELATING TO EXTERNAL SSL_CRTD +#----------------------------------------------------------------------------- + +# TAG: sslcrtd_program +# Note: This option is only available if Squid is rebuilt with the +# -DUSE_SSL_CRTD define +# +# Specify the location and options of the executable for ssl_crtd process. +# /usr/libexec/ssl_crtd program requires -s and -M parameters +# For more information use: +# /usr/libexec/ssl_crtd -h +#Default: +# sslcrtd_program /usr/libexec/ssl_crtd -s /var/log/squid/lib/ssl_db -M 4MB + +# TAG: sslcrtd_children +# Note: This option is only available if Squid is rebuilt with the +# -DUSE_SSL_CRTD define +# +# The maximum number of processes spawn to service ssl server. +# The maximum this may be safely set to is 32. +# +# You must have at least one ssl_crtd process. +#Default: +# sslcrtd_children 5 + # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1572,7 +1642,7 @@ http_port 3128 # cache_peer parent.foo.net parent 3128 3130 default # cache_peer sib1.foo.net sibling 3128 3130 proxy-only # cache_peer sib2.foo.net sibling 3128 3130 proxy-only -# cache_peer example.com parent 80 0 no-query default +# cache_peer example.com parent 80 0 default # cache_peer cdn.example.com sibling 3128 0 # # type: either 'parent', 'sibling', or 'multicast'. @@ -1667,7 +1737,7 @@ http_port 3128 # multicast-siblings # To be used only for cache peers of type "multicast". # ALL members of this multicast group have "sibling" -# relationship with it, not "parent". This is to a mulicast +# relationship with it, not "parent". This is to a multicast # group when the requested object would be fetched only from # a "parent" cache, anyway. It's useful, e.g., when # configuring a pool of redundant Squid proxies, being @@ -1959,11 +2029,13 @@ http_port 3128 # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. -# Note: never_direct overrides this option. # - -# We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? +# Example: +# hierarchy_stoplist cgi-bin ? +# +# Note: never_direct overrides this option. +#Default: +# none # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2201,6 +2273,9 @@ hierarchy_stoplist cgi-bin ? # maximum_object_size 4096 KB # TAG: cache_swap_low (percent, 0-100) +#Default: +# cache_swap_low 90 + # TAG: cache_swap_high (percent, 0-100) # # The low- and high-water marks for cache object replacement. @@ -2214,7 +2289,6 @@ hierarchy_stoplist cgi-bin ? # hundreds of MB. If this is the case you may wish to set these # numbers closer together. #Default: -# cache_swap_low 90 # cache_swap_high 95 # LOGFILE OPTIONS @@ -2256,6 +2330,8 @@ hierarchy_stoplist cgi-bin ? # <A Server IP address or peer name # la Local IP address (http_port) # lp Local port number (http_port) +# <la Local IP address of the last server or peer connection +# <lp Local port number of the last server or peer connection # ts Seconds since epoch # tu subsecond time (milliseconds) # tl Local time. Optional strftime format argument @@ -2363,6 +2439,7 @@ hierarchy_stoplist cgi-bin ? # Will log to the specified file using the specified format (which # must be defined in a logformat directive) those entries which match # ALL the acl's specified (which must be defined in acl clauses). +# # If no acl is specified, all requests will be logged to this file. # # To disable logging of a request use the filepath "none", in which case @@ -2840,10 +2917,10 @@ coredump_dir /var/log/squid/cache # ----------------------------------------------------------------------------- # TAG: url_rewrite_program -# Specify the location of the executable for the URL rewriter. +# Specify the location of the executable URL rewriter to use. # Since they can perform almost any function there isn't one included. # -# For each requested URL rewriter will receive on line with the format +# For each requested URL, the rewriter will receive on line with the format # # URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL> # @@ -2857,7 +2934,7 @@ coredump_dir /var/log/squid/cache # # The rewriter can also indicate that a client-side redirect should # be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily). +# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. # # By default, a URL rewriter is not used. #Default: @@ -3046,7 +3123,13 @@ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # TAG: quick_abort_min (KB) +#Default: +# quick_abort_min 16 KB + # TAG: quick_abort_max (KB) +#Default: +# quick_abort_max 16 KB + # TAG: quick_abort_pct (percent) # The cache by default continues downloading aborted requests # which are almost completed (less than 16 KB remaining). This @@ -3075,8 +3158,6 @@ refresh_pattern . 0 20% 4320 # If you want retrievals to always continue if they are being # cached set 'quick_abort_min' to '-1 KB'. #Default: -# quick_abort_min 16 KB -# quick_abort_max 16 KB # quick_abort_pct 95 # TAG: read_ahead_gap buffer-size @@ -3252,10 +3333,10 @@ refresh_pattern . 0 20% 4320 # Note: This option is only available if Squid is rebuilt with the # --enable-follow-x-forwarded-for and --enable-icap-client option # -# Controls whether the indirect client address -# (see follow_x_forwarded_for) instead of the -# direct client address is passed to an ICAP -# server as "X-Client-IP". +# Controls whether the indirect client IP address (instead of the direct +# client IP address) is passed to adaptation services. +# +# See also: follow_x_forwarded_for adaptation_send_client_ip #Default: # icap_uses_indirect_client on @@ -3537,7 +3618,7 @@ refresh_pattern . 0 20% 4320 # read_timeout 15 minutes # TAG: request_timeout -# How long to wait for an HTTP request after initial +# How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes @@ -3730,7 +3811,13 @@ refresh_pattern . 0 20% 4320 # announce_period 0 # TAG: announce_host +#Default: +# announce_host tracker.ircache.net + # TAG: announce_file +#Default: +# none + # TAG: announce_port # announce_host and announce_port set the hostname and port # number where the registration message will be sent. @@ -3740,7 +3827,6 @@ refresh_pattern . 0 20% 4320 # the contents of that file will be included in the announce # message. #Default: -# announce_host tracker.ircache.net # announce_port 3131 # HTTPD-ACCELERATOR OPTIONS @@ -3829,6 +3915,11 @@ refresh_pattern . 0 20% 4320 # class 5 Requests are grouped according their tag (see # external_acl's tag= reply). # +# +# Each pool also requires a delay_parameters directive to configure the pool size +# and speed limits used whenever the pool is applied to a request. Along with +# a set of delay_access directives to determine when it is used. +# # NOTE: If an IP address is a.b.c.d # -> bits 25 through 32 are "d" # -> bits 17 through 24 are "c" @@ -3868,45 +3959,47 @@ refresh_pattern . 0 20% 4320 # # This defines the parameters for a delay pool. Each delay pool has # a number of "buckets" associated with it, as explained in the -# description of delay_class. For a class 1 delay pool, the syntax is: +# description of delay_class. # -#delay_parameters pool aggregate +# For a class 1 delay pool, the syntax is: +# delay_pools pool 1 +# delay_parameters pool aggregate # # For a class 2 delay pool: -# -#delay_parameters pool aggregate individual +# delay_pools pool 2 +# delay_parameters pool aggregate individual # # For a class 3 delay pool: -# -#delay_parameters pool aggregate network individual +# delay_pools pool 3 +# delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# -#delay_parameters pool aggregate network individual user +# delay_pools pool 4 +# delay_parameters pool aggregate network individual user # # For a class 5 delay pool: +# delay_pools pool 5 +# delay_parameters pool tagrate # -#delay_parameters pool tag -# -# The variables here are: +# The option variables are: # # pool a pool number - ie, a number between 1 and the # number specified in delay_pools as used in # delay_class lines. # -# aggregate the "delay parameters" for the aggregate bucket +# aggregate the speed limit parameters for the aggregate bucket # (class 1, 2, 3). # -# individual the "delay parameters" for the individual +# individual the speed limit parameters for the individual # buckets (class 2, 3). # -# network the "delay parameters" for the network buckets +# network the speed limit parameters for the network buckets # (class 3). # -# user the delay parameters for the user buckets +# user the speed limit parameters for the user buckets # (class 4). # -# tag the delay parameters for the tag buckets +# tagrate the speed limit parameters for the tag buckets # (class 5). # # A pair of delay parameters is written restore/maximum, where restore is @@ -3914,30 +4007,39 @@ refresh_pattern . 0 20% 4320 # quoted in bits) per second placed into the bucket, and maximum is the # maximum number of bytes which can be in the bucket at any time. # +# There must be one delay_parameters line for each delay pool. +# +# # For example, if delay pool number 1 is a class 2 delay pool as in the -# above example, and is being used to strictly limit each host to 64kbps +# above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -#delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 -1/-1 8000/8000 +# +# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. # # Note that the figure -1 is used to represent "unlimited". # +# # And, if delay pool number 2 is a class 3 delay pool as in the above -# example, and you want to limit it to a total of 256kbps (strict limit) -# with each 8-bit network permitted 64kbps (strict limit) and each -# individual host permitted 4800bps with a bucket maximum size of 64kb +# example, and you want to limit it to a total of 256Kbit/sec (strict limit) +# with each 8-bit network permitted 64Kbit/sec (strict limit) and each +# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits # to permit a decent web page to be downloaded at a decent speed # (if the network is not being limited due to overuse) but slow down # large downloads more significantly: # -#delay_parameters 2 32000/32000 8000/8000 600/8000 +# delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. +# 8 x 8000 KByte/sec -> 64Kbit/sec. +# 8 x 600 Byte/sec -> 4800bit/sec. # -# There must be one delay_parameters line for each delay pool. # # Finally, for a class 4 delay pool as in the example - each user will -# be limited to 128Kb no matter how many workstations they are logged into.: +# be limited to 128Kbits/sec no matter how many workstations they are logged into.: # -#delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 #Default: # none @@ -4102,13 +4204,15 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +#Default: +# wccp_address 0.0.0.0 + # TAG: wccp2_address # Use this option if you require WCCP to use a specific # interface address. # # The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 # wccp2_address 0.0.0.0 # PERSISTENT CONNECTION HANDLING @@ -4117,13 +4221,15 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +#Default: +# client_persistent_connections on + # TAG: server_persistent_connections # Persistent connection support for clients and servers. By # default, Squid uses persistent connections (when allowed) # with its clients and servers. You can use these options to # disable persistent connections with clients and/or servers. #Default: -# client_persistent_connections on # server_persistent_connections on # TAG: persistent_connection_after_error @@ -4235,6 +4341,9 @@ refresh_pattern . 0 20% 4320 # snmp_access deny all # TAG: snmp_incoming_address +#Default: +# snmp_incoming_address any_addr + # TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # @@ -4254,7 +4363,6 @@ refresh_pattern . 0 20% 4320 # NOTE, snmp_incoming_address and snmp_outgoing_address can not have # the same value since they both use port 3401. #Default: -# snmp_incoming_address any_addr # snmp_outgoing_address no_addr # ICP OPTIONS @@ -4351,13 +4459,15 @@ refresh_pattern . 0 20% 4320 # minimum_direct_rtt 400 # TAG: netdb_low +#Default: +# netdb_low 900 + # TAG: netdb_high # The low and high water marks for the ICMP measurement # database. These are counts, not percents. The defaults are # 900 and 1000. When the high water mark is reached, database # entries will be deleted until the low mark is reached. #Default: -# netdb_low 900 # netdb_high 1000 # TAG: netdb_ping_period @@ -4748,20 +4858,30 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: incoming_icp_average +#Default: +# incoming_icp_average 6 + # TAG: incoming_http_average +#Default: +# incoming_http_average 4 + # TAG: incoming_dns_average +#Default: +# incoming_dns_average 4 + # TAG: min_icp_poll_cnt +#Default: +# min_icp_poll_cnt 8 + # TAG: min_dns_poll_cnt +#Default: +# min_dns_poll_cnt 8 + # TAG: min_http_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 -# incoming_http_average 4 -# incoming_dns_average 4 -# min_icp_poll_cnt 8 -# min_dns_poll_cnt 8 # min_http_poll_cnt 8 # TAG: accept_filter @@ -4937,7 +5057,11 @@ refresh_pattern . 0 20% 4320 # Note: This option is only available if Squid is rebuilt with the # --enable-icap-client option # -# This adds the header "X-Client-IP" to ICAP requests. +# If enabled, Squid shares HTTP client IP information with adaptation +# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. +# For eCAP, Squid sets the libecap::metaClientIp transaction option. +# +# See also: adaptation_uses_indirect_client #Default: # icap_send_client_ip off @@ -5445,13 +5569,32 @@ refresh_pattern . 0 20% 4320 #Default: # dns_v4_fallback on +# TAG: dns_v4_first +# With the IPv6 Internet being as fast or faster than IPv4 Internet +# for most networks Squid prefers to contact websites over IPv6. +# +# This option reverses the order of preference to make Squid contact +# dual-stack websites over IPv4 first. Squid will still perform both +# IPv6 and IPv4 DNS lookups before connecting. +# +# WARNING: +# This option will restrict the situations under which IPv6 +# connectivity is used (and tested). Hiding network problems +# which would otherwise be detected and warned about. +#Default: +# dns_v4_first off + # TAG: ipcache_size (number of entries) +#Default: +# ipcache_size 1024 + # TAG: ipcache_low (percent) +#Default: +# ipcache_low 90 + # TAG: ipcache_high (percent) # The size, low-, and high-water marks for the IP cache. #Default: -# ipcache_size 1024 -# ipcache_low 90 # ipcache_high 95 # TAG: fqdncache_size (number of entries) @@ -5621,10 +5764,16 @@ refresh_pattern . 0 20% 4320 # maximum_single_addr_tries 1 # TAG: retry_on_error -# If set to on Squid will automatically retry requests when -# receiving an error response. This is mainly useful if you -# are in a complex cache hierarchy to work around access -# control errors. +# If set to ON Squid will automatically retry requests when +# receiving an error response with status 403 (Forbidden), +# 500 (Internal Error), 501 or 503 (Service not available). +# Status 502 and 504 (Gateway errors) are always retried. +# +# This is mainly useful if you are in a complex cache hierarchy to +# work around access control errors. +# +# NOTE: This retry will attempt to find another working destination. +# Which is different from the server which just failed. #Default: # retry_on_error off |