From c9c7692638f920da77321df9a54b644909001299 Mon Sep 17 00:00:00 2001
From: dsomero <xgizzmo@slackbuilds.org>
Date: Fri, 8 Apr 2011 19:05:32 -0400
Subject: network/squid: Updated for version 3.1.12.

Signed-off-by: dsomero <xgizzmo@slackbuilds.org>
---
 network/squid/squid.conf | 191 +++++++++++++++++++++++++++++++++++++----------
 1 file changed, 150 insertions(+), 41 deletions(-)

(limited to 'network/squid/squid.conf')

diff --git a/network/squid/squid.conf b/network/squid/squid.conf
index a53e9e67a23df..ecf4319bd7273 100644
--- a/network/squid/squid.conf
+++ b/network/squid/squid.conf
@@ -1,4 +1,4 @@
-#	WELCOME TO SQUID 3.1.10
+#	WELCOME TO SQUID 3.1.12
 #	----------------------------
 #
 #	This is the default Squid configuration file. You may wish
@@ -27,6 +27,43 @@
 #  from causing Squid entering an infinite loop whilst trying to load
 #  configuration files.
 
+#  TAG: dns_testnames
+#	Remove this line. DNS is no longer tested on startup.
+#Default:
+# none
+
+#  TAG: extension_methods
+#	Remove this line. All valid methods for HTTP are accepted by default.
+#Default:
+# none
+
+#  TAG: incoming_rate
+#  TAG: server_http11
+#	Remove this line. HTTP/1.1 is supported by default.
+#Default:
+# none
+
+#  TAG: upgrade_http0.9
+#	Remove this line. ICY/1.0 streaming protocol is supported by default.
+#Default:
+# none
+
+#  TAG: zph_local
+#	Alter these entries. Use the qos_flows directive instead.
+#Default:
+# none
+
+#  TAG: header_access
+#	Since squid-3.0 replace with request_header_access or reply_header_access
+#	depending on whether you wish to match client requests or server replies.
+#Default:
+# none
+
+#  TAG: httpd_accel_no_pmtu_disc
+#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
+#Default:
+# none
+
 # OPTIONS FOR AUTHENTICATION
 # -----------------------------------------------------------------------------
 
@@ -227,12 +264,12 @@
 #	auth_param ntlm children 5
 #
 #	"keep_alive" on|off
-#	If you experience problems with PUT/POST requests when using the
-#	Negotiate authentication scheme then you can try setting this to
-#	off. This will cause Squid to forcibly close the connection on
-#	the initial requests where the browser asks which schemes are
-#	supported by the proxy.
-#
+#	Whether to keep the connection open after the initial response where
+#	Squid tells the browser which schemes are supported by the proxy.
+#	Some browsers are known to present many login popups or to corrupt
+#	POST/PUT requests transfer if the connection is not closed.
+#	The default is currently OFF to avoid this, but may change.
+#	
 #	auth_param ntlm keep_alive on
 #
 #	=== Options for configuring the NEGOTIATE auth-scheme follow ===
@@ -261,15 +298,15 @@
 #	auth_param negotiate children 5
 #
 #	"keep_alive" on|off
-#	If you experience problems with PUT/POST requests when using the
-#	Negotiate authentication scheme then you can try setting this to
-#	off. This will cause Squid to forcibly close the connection on
-#	the initial requests where the browser asks which schemes are
-#	supported by the proxy.
-#
+#	Whether to keep the connection open after the initial response where
+#	Squid tells the browser which schemes are supported by the proxy.
+#	Some browsers are known to present many login popups or to corrupt
+#	POST/PUT requests transfer if the connection is not closed.
+#	The default is currently OFF to avoid this, but may change.
+#	
 #	auth_param negotiate keep_alive on
 #
-#	
+#
 #	Examples:
 #
 ##Recommended minimum configuration per scheme:
@@ -566,7 +603,9 @@
 #
 #	acl aclname maxconn number
 #	  # This will be matched when the client's IP address has
-#	  # more than <number> HTTP connections established. [fast]
+#	  # more than <number> TCP connections established. [fast]
+#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
+#	  # indirect clients are not counted.
 #
 #	acl aclname max_user_ip [-s] number
 #	  # This will be matched when the user attempts to log in from more
@@ -716,6 +755,9 @@ acl CONNECT method CONNECT
 #	Controls whether the indirect client address
 #	(see follow_x_forwarded_for) is used instead of the
 #	direct client address in acl matching.
+#
+#	NOTE: maxconn ACL considers direct TCP links and indirect
+#	      clients will always have zero. So no match.
 #Default:
 # acl_uses_indirect_client on
 
@@ -828,6 +870,12 @@ http_access deny all
 #
 #	See http_access for details
 #
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow ICP queries from local networks only
+##icp_access allow localnet
+##icp_access deny all
 #Default:
 # icp_access deny all
 #
@@ -847,6 +895,12 @@ icp_access deny all
 #	deny all traffic. This default may cause problems with peers
 #	using the htcp or htcp-oldsquid options.
 #
+#	This clause only supports fast acl types.
+#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+## Allow HTCP queries from local networks only
+##htcp_access allow localnet
+##htcp_access deny all
 #Default:
 # htcp_access deny all
 #
@@ -1038,7 +1092,7 @@ htcp_access deny all
 #			sporadically hang or never complete requests set
 #			disable-pmtu-discovery option to 'transparent'.
 #
-#	   sslBump 	Intercept each CONNECT request matching ssl_bump ACL,
+#	   ssl-bump 	Intercept each CONNECT request matching ssl_bump ACL,
 #			establish secure connection with the client and with
 #			the server, decrypt HTTP messages as they pass through
 #			Squid, and treat them as unencrypted HTTP messages,
@@ -1188,8 +1242,8 @@ http_port 3128
 #	Example where normal_service_net uses the TOS value 0x00
 #	and good_service_net uses 0x20
 #
-#	acl normal_service_net src 10.0.0.0/255.255.255.0
-#	acl good_service_net src 10.0.1.0/255.255.255.0
+#	acl normal_service_net src 10.0.0.0/24
+#	acl good_service_net src 10.0.1.0/24
 #	tcp_outgoing_tos 0x00 normal_service_net
 #	tcp_outgoing_tos 0x20 good_service_net
 #
@@ -1199,8 +1253,8 @@ http_port 3128
 #
 #	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
 #	"default" to use whatever default your host has. Note that in
-#	practice often only values 0 - 63 is usable as the two highest bits
-#	have been redefined for use by ECN (RFC3168).
+#	practice often only multiples of 4 is usable as the two rightmost bits
+#	have been redefined for use by ECN (RFC 3168 section 23.1).
 #
 #	Processing proceeds in the order specified, and stops at first fully
 #	matching line.
@@ -1303,14 +1357,18 @@ http_port 3128
 #	an additional ACL needs to be used which ensures the IPv6-bound traffic
 #	is never forced or permitted out the IPv4 interface.
 #
+#	# IPv6 destination test along with a dummy access control to perofrm the required DNS
+#	# This MUST be place before any ALLOW rules.
 #	acl to_ipv6 dst ipv6
-#	tcp_outgoing_address 2002::c001 good_service_net to_ipv6
+#	http_access deny ipv6 !all
+#
+#	tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
 #	tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
 #
-#	tcp_outgoing_address 2002::beef normal_service_net to_ipv6
+#	tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
 #	tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
 #
-#	tcp_outgoing_address 2002::1 to_ipv6
+#	tcp_outgoing_address 2001:db8::1 to_ipv6
 #	tcp_outgoing_address 10.1.0.3 !to_ipv6
 #
 #	WARNING:
@@ -1499,6 +1557,10 @@ http_port 3128
 #	when using encrypted SSL certificate keys. If not specified
 #	keys must either be unencrypted, or Squid started with the -N
 #	option to allow it to query interactively for the passphrase.
+#
+#	The key file name is given as argument to the program allowing
+#	selection of the right password if you have multiple encrypted
+#	keys.
 #Default:
 # none
 
@@ -1635,8 +1697,8 @@ http_port 3128
 #			which parent to fectch from. If the rtt is less than the
 #			base time the rtt is set to a minimal value.
 #	
-#	ttl=N		Specify a IP multicast TTL to use when sending an ICP
-#			queries to this address.
+#	ttl=N		Specify a TTL to use when sending multicast ICP queries
+#			to this address.
 #			Only useful when sending to a multicast group.
 #			Because we don't accept ICP replies from random
 #			hosts, you must configure other group members as
@@ -2034,10 +2096,10 @@ hierarchy_stoplist cgi-bin ?
 #	Instead, if you want Squid to use the entire disk drive,
 #	subtract 20% and use that value.
 #
-#	'Level-1' is the number of first-level subdirectories which
+#	'L1' is the number of first-level subdirectories which
 #	will be created under the 'Directory'.  The default is 16.
 #
-#	'Level-2' is the number of second-level subdirectories which
+#	'L2' is the number of second-level subdirectories which
 #	will be created under each first-level directory.  The default
 #	is 256.
 #
@@ -2097,8 +2159,8 @@ hierarchy_stoplist cgi-bin ?
 #
 #	no-store, no new objects should be stored to this cache_dir
 #
-#	max-size=n, refers to the max object size this storedir supports.
-#	It is used to initially choose the storedir to dump the object.
+#	max-size=n, refers to the max object size in bytes this cache_dir
+#	supports.  It is used to select the cache_dir to store the object.
 #	Note: To make optimal use of the max-size limits you should order
 #	the cache_dir lines with the smallest max-size value first and the
 #	ones with no max-size specification last.
@@ -2323,7 +2385,7 @@ cache_dir ufs /var/cache/squid/ 256 16 256
 #	err, warning, notice, info, debug.
 #
 #	Default:
-#		access_log /var/log/squid/logs/access.log squid
+#		access_log /var/log/squid/access.log squid
 #Default:
 access_log /var/log/squid/access.log squid
 
@@ -2435,7 +2497,7 @@ cache_log /var/log/squid/cache.log
 #	disable it.
 #
 #	Example:
-#		cache_store_log /var/log/squid/logs/store.log
+#		cache_store_log /var/log/squid/store.log
 #Default:
 cache_store_log /var/log/squid/store.log
 
@@ -2609,7 +2671,7 @@ pid_filename /var/run/squid/squid.pid
 #	A filename where Squid stores it's netdb state between restarts.
 #	To disable, enter "none".
 #Default:
-# netdb_filename /var/log/squid/logs/netdb.state
+# netdb_filename /var/log/squid/netdb.state
 
 # OPTIONS FOR TROUBLESHOOTING
 # -----------------------------------------------------------------------------
@@ -2647,6 +2709,8 @@ cache_log /var/log/squid/cache.log
 # coredump_dir none
 #
 
+# Leave coredumps in the first cache dir
+coredump_dir /var/log/squid/cache
 
 # OPTIONS FOR FTP GATEWAYING
 # -----------------------------------------------------------------------------
@@ -2714,6 +2778,26 @@ cache_log /var/log/squid/cache.log
 #Default:
 # ftp_epsv on
 
+#  TAG: ftp_eprt
+#	FTP Protocol extensions permit the use of a special "EPRT" command.
+#
+#	This extension provides a protocol neutral alternative to the
+#	IPv4-only PORT command. When supported it enables active FTP data
+#	channels over IPv6 and efficient NAT handling.
+#
+#	Turning this OFF will prevent EPRT being attempted and will skip
+#	straight to using PORT for IPv4 servers.
+#
+#	Some devices are known to not handle this extension correctly and
+#	may result in crashes. Devices which suport EPRT enough to fail
+#	cleanly will result in Squid attempting PORT anyway. This directive
+#	should only be disabled when EPRT results in device failures.
+#
+#	WARNING: Doing so will convert Squid back to the old behavior with all
+#	the related problems with external NAT devices/layers and IPv4-only FTP.
+#Default:
+# ftp_eprt on
+
 #  TAG: ftp_sanitycheck
 #	For security and data integrity reasons Squid by default performs
 #	sanity checks of the addresses of FTP data connections ensure the
@@ -3129,6 +3213,13 @@ refresh_pattern .		0	20%	4320
 #Default:
 # request_body_max_size 0 KB
 
+#  TAG: client_request_buffer_max_size	(bytes)
+#	This specifies the maximum buffer size of a client request.
+#	It prevents squid eating too much memory when somebody uploads
+#	a large file.
+#Default:
+# client_request_buffer_max_size 512 KB
+
 #  TAG: chunked_request_body_max_size	(bytes)
 #	A broken or confused HTTP/1.1 client may send a chunked HTTP
 #	request to Squid. Squid does not have full support for that
@@ -3295,7 +3386,6 @@ refresh_pattern .		0	20%	4320
 #		request_header_access Retry-After allow all
 #		request_header_access Title allow all
 #		request_header_access Connection allow all
-#		request_header_access Proxy-Connection allow all
 #		request_header_access All deny all
 #
 #	although many of those are HTTP reply headers, and so should be
@@ -3367,7 +3457,6 @@ refresh_pattern .		0	20%	4320
 #		reply_header_access Retry-After allow all
 #		reply_header_access Title allow all
 #		reply_header_access Connection allow all
-#		reply_header_access Proxy-Connection allow all
 #		reply_header_access All deny all
 #
 #	although the HTTP request headers won't be usefully controlled
@@ -3378,13 +3467,13 @@ refresh_pattern .		0	20%	4320
 #Default:
 # none
 
-#  TAG: header_replace
-#	Usage:   header_replace header_name message
-#	Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+#  TAG: request_header_replace
+#	Usage:   request_header_replace header_name message
+#	Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
 #
 #	This option allows you to change the contents of headers
-#	denied with header_access above, by replacing them with
-#	some fixed string. This replaces the old fake_user_agent
+#	denied with request_header_access above, by replacing them
+#	with some fixed string. This replaces the old fake_user_agent
 #	option.
 #
 #	This only applies to request headers, not reply headers.
@@ -3393,6 +3482,20 @@ refresh_pattern .		0	20%	4320
 #Default:
 # none
 
+#  TAG: reply_header_replace
+#        Usage:   reply_header_replace header_name message
+#        Example: reply_header_replace Server Foo/1.0
+#
+#        This option allows you to change the contents of headers
+#        denied with reply_header_access above, by replacing them
+#        with some fixed string.
+#
+#        This only applies to reply headers, not request headers.
+#
+#        By default, headers are removed if denied.
+#Default:
+# none
+
 #  TAG: relaxed_header_parser	on|off|warn
 #	In the default "on" setting Squid accepts certain forms
 #	of non-compliant HTTP messages where it is unambiguous
@@ -4545,7 +4648,7 @@ cache_effective_group nobody
 #	    Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
 #
 #	Alternatively you can specify an error URL. The browsers will
-#	get redirected (302) to the specified URL. %s in the redirection
+#	get redirected (302 or 307) to the specified URL. %s in the redirection
 #	URL will be replaced by the requested URL.
 #
 #	Alternatively you can tell Squid to reset the TCP connection
@@ -4938,6 +5041,11 @@ cache_effective_group nobody
 #		Routing is not allowed by default: the ICAP X-Next-Services
 #		response header is ignored.
 #
+#	ipv6=on|off
+#		Only has effect on split-stack systems. The default on those systems
+#		is to use IPv4-only connections. When set to 'on' this option will
+#		make Squid use IPv6-only connections to contact this ICAP service.
+#
 #	Older icap_service format without optional named parameters is
 #	deprecated but supported for backward compatibility.
 #
@@ -5543,7 +5651,6 @@ cache_effective_group nobody
 #	queried only when Squid starts up, not for every request.
 #Default:
 # as_whois_server whois.ra.net
-# as_whois_server whois.ra.net
 
 #  TAG: offline_mode
 #	Enable this option and Squid will never try to validate cached
@@ -5602,6 +5709,8 @@ cache_effective_group nobody
 #
 #	Defaults to off for bandwidth management and access logging
 #	reasons.
+#
+#	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
 #Default:
 # pipeline_prefetch off
 
-- 
cgit v1.2.3