aboutsummaryrefslogtreecommitdiff
path: root/network/squid/squid.conf
diff options
context:
space:
mode:
Diffstat (limited to 'network/squid/squid.conf')
-rw-r--r--network/squid/squid.conf191
1 files changed, 150 insertions, 41 deletions
diff --git a/network/squid/squid.conf b/network/squid/squid.conf
index a53e9e67a23df..ecf4319bd7273 100644
--- a/network/squid/squid.conf
+++ b/network/squid/squid.conf
@@ -1,4 +1,4 @@
-# WELCOME TO SQUID 3.1.10
+# WELCOME TO SQUID 3.1.12
# ----------------------------
#
# This is the default Squid configuration file. You may wish
@@ -27,6 +27,43 @@
# from causing Squid entering an infinite loop whilst trying to load
# configuration files.
+# TAG: dns_testnames
+# Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+# TAG: extension_methods
+# Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+# TAG: incoming_rate
+# TAG: server_http11
+# Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+# TAG: upgrade_http0.9
+# Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+# TAG: zph_local
+# Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+# TAG: header_access
+# Since squid-3.0 replace with request_header_access or reply_header_access
+# depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+# TAG: httpd_accel_no_pmtu_disc
+# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
@@ -227,12 +264,12 @@
# auth_param ntlm children 5
#
# "keep_alive" on|off
-# If you experience problems with PUT/POST requests when using the
-# Negotiate authentication scheme then you can try setting this to
-# off. This will cause Squid to forcibly close the connection on
-# the initial requests where the browser asks which schemes are
-# supported by the proxy.
-#
+# Whether to keep the connection open after the initial response where
+# Squid tells the browser which schemes are supported by the proxy.
+# Some browsers are known to present many login popups or to corrupt
+# POST/PUT requests transfer if the connection is not closed.
+# The default is currently OFF to avoid this, but may change.
+#
# auth_param ntlm keep_alive on
#
# === Options for configuring the NEGOTIATE auth-scheme follow ===
@@ -261,15 +298,15 @@
# auth_param negotiate children 5
#
# "keep_alive" on|off
-# If you experience problems with PUT/POST requests when using the
-# Negotiate authentication scheme then you can try setting this to
-# off. This will cause Squid to forcibly close the connection on
-# the initial requests where the browser asks which schemes are
-# supported by the proxy.
-#
+# Whether to keep the connection open after the initial response where
+# Squid tells the browser which schemes are supported by the proxy.
+# Some browsers are known to present many login popups or to corrupt
+# POST/PUT requests transfer if the connection is not closed.
+# The default is currently OFF to avoid this, but may change.
+#
# auth_param negotiate keep_alive on
#
-#
+#
# Examples:
#
##Recommended minimum configuration per scheme:
@@ -566,7 +603,9 @@
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
-# # more than <number> HTTP connections established. [fast]
+# # more than <number> TCP connections established. [fast]
+# # NOTE: This only measures direct TCP links so X-Forwarded-For
+# # indirect clients are not counted.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
@@ -716,6 +755,9 @@ acl CONNECT method CONNECT
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
+#
+# NOTE: maxconn ACL considers direct TCP links and indirect
+# clients will always have zero. So no match.
#Default:
# acl_uses_indirect_client on
@@ -828,6 +870,12 @@ http_access deny all
#
# See http_access for details
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
#Default:
# icp_access deny all
#
@@ -847,6 +895,12 @@ icp_access deny all
# deny all traffic. This default may cause problems with peers
# using the htcp or htcp-oldsquid options.
#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
#Default:
# htcp_access deny all
#
@@ -1038,7 +1092,7 @@ htcp_access deny all
# sporadically hang or never complete requests set
# disable-pmtu-discovery option to 'transparent'.
#
-# sslBump Intercept each CONNECT request matching ssl_bump ACL,
+# ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
# establish secure connection with the client and with
# the server, decrypt HTTP messages as they pass through
# Squid, and treat them as unencrypted HTTP messages,
@@ -1188,8 +1242,8 @@ http_port 3128
# Example where normal_service_net uses the TOS value 0x00
# and good_service_net uses 0x20
#
-# acl normal_service_net src 10.0.0.0/255.255.255.0
-# acl good_service_net src 10.0.1.0/255.255.255.0
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.1.0/24
# tcp_outgoing_tos 0x00 normal_service_net
# tcp_outgoing_tos 0x20 good_service_net
#
@@ -1199,8 +1253,8 @@ http_port 3128
#
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
# "default" to use whatever default your host has. Note that in
-# practice often only values 0 - 63 is usable as the two highest bits
-# have been redefined for use by ECN (RFC3168).
+# practice often only multiples of 4 is usable as the two rightmost bits
+# have been redefined for use by ECN (RFC 3168 section 23.1).
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
@@ -1303,14 +1357,18 @@ http_port 3128
# an additional ACL needs to be used which ensures the IPv6-bound traffic
# is never forced or permitted out the IPv4 interface.
#
+# # IPv6 destination test along with a dummy access control to perofrm the required DNS
+# # This MUST be place before any ALLOW rules.
# acl to_ipv6 dst ipv6
-# tcp_outgoing_address 2002::c001 good_service_net to_ipv6
+# http_access deny ipv6 !all
+#
+# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
#
-# tcp_outgoing_address 2002::beef normal_service_net to_ipv6
+# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
#
-# tcp_outgoing_address 2002::1 to_ipv6
+# tcp_outgoing_address 2001:db8::1 to_ipv6
# tcp_outgoing_address 10.1.0.3 !to_ipv6
#
# WARNING:
@@ -1499,6 +1557,10 @@ http_port 3128
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
+#
+# The key file name is given as argument to the program allowing
+# selection of the right password if you have multiple encrypted
+# keys.
#Default:
# none
@@ -1635,8 +1697,8 @@ http_port 3128
# which parent to fectch from. If the rtt is less than the
# base time the rtt is set to a minimal value.
#
-# ttl=N Specify a IP multicast TTL to use when sending an ICP
-# queries to this address.
+# ttl=N Specify a TTL to use when sending multicast ICP queries
+# to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
@@ -2034,10 +2096,10 @@ hierarchy_stoplist cgi-bin ?
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
-# 'Level-1' is the number of first-level subdirectories which
+# 'L1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
-# 'Level-2' is the number of second-level subdirectories which
+# 'L2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
@@ -2097,8 +2159,8 @@ hierarchy_stoplist cgi-bin ?
#
# no-store, no new objects should be stored to this cache_dir
#
-# max-size=n, refers to the max object size this storedir supports.
-# It is used to initially choose the storedir to dump the object.
+# max-size=n, refers to the max object size in bytes this cache_dir
+# supports. It is used to select the cache_dir to store the object.
# Note: To make optimal use of the max-size limits you should order
# the cache_dir lines with the smallest max-size value first and the
# ones with no max-size specification last.
@@ -2323,7 +2385,7 @@ cache_dir ufs /var/cache/squid/ 256 16 256
# err, warning, notice, info, debug.
#
# Default:
-# access_log /var/log/squid/logs/access.log squid
+# access_log /var/log/squid/access.log squid
#Default:
access_log /var/log/squid/access.log squid
@@ -2435,7 +2497,7 @@ cache_log /var/log/squid/cache.log
# disable it.
#
# Example:
-# cache_store_log /var/log/squid/logs/store.log
+# cache_store_log /var/log/squid/store.log
#Default:
cache_store_log /var/log/squid/store.log
@@ -2609,7 +2671,7 @@ pid_filename /var/run/squid/squid.pid
# A filename where Squid stores it's netdb state between restarts.
# To disable, enter "none".
#Default:
-# netdb_filename /var/log/squid/logs/netdb.state
+# netdb_filename /var/log/squid/netdb.state
# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
@@ -2647,6 +2709,8 @@ cache_log /var/log/squid/cache.log
# coredump_dir none
#
+# Leave coredumps in the first cache dir
+coredump_dir /var/log/squid/cache
# OPTIONS FOR FTP GATEWAYING
# -----------------------------------------------------------------------------
@@ -2714,6 +2778,26 @@ cache_log /var/log/squid/cache.log
#Default:
# ftp_epsv on
+# TAG: ftp_eprt
+# FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+# This extension provides a protocol neutral alternative to the
+# IPv4-only PORT command. When supported it enables active FTP data
+# channels over IPv6 and efficient NAT handling.
+#
+# Turning this OFF will prevent EPRT being attempted and will skip
+# straight to using PORT for IPv4 servers.
+#
+# Some devices are known to not handle this extension correctly and
+# may result in crashes. Devices which suport EPRT enough to fail
+# cleanly will result in Squid attempting PORT anyway. This directive
+# should only be disabled when EPRT results in device failures.
+#
+# WARNING: Doing so will convert Squid back to the old behavior with all
+# the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
# TAG: ftp_sanitycheck
# For security and data integrity reasons Squid by default performs
# sanity checks of the addresses of FTP data connections ensure the
@@ -3129,6 +3213,13 @@ refresh_pattern . 0 20% 4320
#Default:
# request_body_max_size 0 KB
+# TAG: client_request_buffer_max_size (bytes)
+# This specifies the maximum buffer size of a client request.
+# It prevents squid eating too much memory when somebody uploads
+# a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
# TAG: chunked_request_body_max_size (bytes)
# A broken or confused HTTP/1.1 client may send a chunked HTTP
# request to Squid. Squid does not have full support for that
@@ -3295,7 +3386,6 @@ refresh_pattern . 0 20% 4320
# request_header_access Retry-After allow all
# request_header_access Title allow all
# request_header_access Connection allow all
-# request_header_access Proxy-Connection allow all
# request_header_access All deny all
#
# although many of those are HTTP reply headers, and so should be
@@ -3367,7 +3457,6 @@ refresh_pattern . 0 20% 4320
# reply_header_access Retry-After allow all
# reply_header_access Title allow all
# reply_header_access Connection allow all
-# reply_header_access Proxy-Connection allow all
# reply_header_access All deny all
#
# although the HTTP request headers won't be usefully controlled
@@ -3378,13 +3467,13 @@ refresh_pattern . 0 20% 4320
#Default:
# none
-# TAG: header_replace
-# Usage: header_replace header_name message
-# Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+# TAG: request_header_replace
+# Usage: request_header_replace header_name message
+# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
#
# This option allows you to change the contents of headers
-# denied with header_access above, by replacing them with
-# some fixed string. This replaces the old fake_user_agent
+# denied with request_header_access above, by replacing them
+# with some fixed string. This replaces the old fake_user_agent
# option.
#
# This only applies to request headers, not reply headers.
@@ -3393,6 +3482,20 @@ refresh_pattern . 0 20% 4320
#Default:
# none
+# TAG: reply_header_replace
+# Usage: reply_header_replace header_name message
+# Example: reply_header_replace Server Foo/1.0
+#
+# This option allows you to change the contents of headers
+# denied with reply_header_access above, by replacing them
+# with some fixed string.
+#
+# This only applies to reply headers, not request headers.
+#
+# By default, headers are removed if denied.
+#Default:
+# none
+
# TAG: relaxed_header_parser on|off|warn
# In the default "on" setting Squid accepts certain forms
# of non-compliant HTTP messages where it is unambiguous
@@ -4545,7 +4648,7 @@ cache_effective_group nobody
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# Alternatively you can specify an error URL. The browsers will
-# get redirected (302) to the specified URL. %s in the redirection
+# get redirected (302 or 307) to the specified URL. %s in the redirection
# URL will be replaced by the requested URL.
#
# Alternatively you can tell Squid to reset the TCP connection
@@ -4938,6 +5041,11 @@ cache_effective_group nobody
# Routing is not allowed by default: the ICAP X-Next-Services
# response header is ignored.
#
+# ipv6=on|off
+# Only has effect on split-stack systems. The default on those systems
+# is to use IPv4-only connections. When set to 'on' this option will
+# make Squid use IPv6-only connections to contact this ICAP service.
+#
# Older icap_service format without optional named parameters is
# deprecated but supported for backward compatibility.
#
@@ -5543,7 +5651,6 @@ cache_effective_group nobody
# queried only when Squid starts up, not for every request.
#Default:
# as_whois_server whois.ra.net
-# as_whois_server whois.ra.net
# TAG: offline_mode
# Enable this option and Squid will never try to validate cached
@@ -5602,6 +5709,8 @@ cache_effective_group nobody
#
# Defaults to off for bandwidth management and access logging
# reasons.
+#
+# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
#Default:
# pipeline_prefetch off