From ebd1d1551aae67862e9453784a3dff37f427d208 Mon Sep 17 00:00:00 2001 From: David Somero Date: Tue, 10 Aug 2010 01:34:37 +0100 Subject: [PATCH] network/squid: Updated for version 3.1.6. Signed-off-by: Michiel van Wessem --- network/squid/README | 2 +- network/squid/rc.squid | 4 +- network/squid/squid.SlackBuild | 11 +- network/squid/squid.conf | 2551 ++++++++++++++++++++++---------- network/squid/squid.info | 8 +- 5 files changed, 1746 insertions(+), 830 deletions(-) diff --git a/network/squid/README b/network/squid/README index 87cfca48af..b42a553a3f 100644 --- a/network/squid/README +++ b/network/squid/README @@ -7,6 +7,6 @@ Squid supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings. -See /usr/doc/squid-3.0.STABLE21/README.SBo for configuration help. +See /usr/doc/squid-3.1.6/README.SBo for configuration help. Note that the default squid.conf and /etc/logrotate.d/squid files have changed in this release, so be sure to merge the changes into place. diff --git a/network/squid/rc.squid b/network/squid/rc.squid index 4810dae64f..c3a680046e 100644 --- a/network/squid/rc.squid +++ b/network/squid/rc.squid @@ -32,8 +32,8 @@ squid_start() { fi done - echo "Starting Squid: $SQUIDCMD -DF" - $SQUIDCMD -DF + echo "Starting Squid: $SQUIDCMD -F" + $SQUIDCMD -F } squid_stop() { diff --git a/network/squid/squid.SlackBuild b/network/squid/squid.SlackBuild index 83b4597579..5c69c1e71c 100644 --- a/network/squid/squid.SlackBuild +++ b/network/squid/squid.SlackBuild @@ -24,7 +24,7 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=squid -VERSION=3.0.STABLE24 +VERSION=3.1.6 BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -83,7 +83,9 @@ CXXFLAGS="$SLKCFLAGS" \ --sysconfdir=/etc/squid \ --localstatedir=/var/log/squid \ --datadir=/usr/share/squid \ + --with-pidfile=/var/run/squid \ --mandir=/usr/man \ + --with-logdir=/var/log/squid \ --enable-snmp \ --enable-auth="basic" \ --enable-basic-auth-helpers="NCSA" \ @@ -97,10 +99,8 @@ make install DESTDIR=$PKG find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true -( cd $PKG/usr/man - find . -type f -exec gzip -9 {} \; - for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done -) +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $(find $PKG/usr/man -type l); do ln -s $(readlink $i).gz $i.gz; rm $i; done mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a \ @@ -124,7 +124,6 @@ rm $PKG/etc/squid/squid.conf cat $CWD/squid.conf > $PKG/etc/squid/squid.conf.new mkdir -p $PKG/var/{cache,run}/squid -rmdir $PKG/var/log/squid/logs chown $SQUIDUSER:$SQUIDGROUP $PKG/var/{cache,log,run}/squid ## Edit the config file to set the user and group to run as diff --git a/network/squid/squid.conf b/network/squid/squid.conf index 28b2fc0c75..a7b65c8292 100644 --- a/network/squid/squid.conf +++ b/network/squid/squid.conf @@ -1,5 +1,4 @@ - -# WELCOME TO SQUID 3.0.STABLE1 +# WELCOME TO SQUID 3.1.6 # ---------------------------- # # This is the default Squid configuration file. You may wish @@ -15,6 +14,18 @@ # case. # +# Configuration options can be included using the "include" directive. +# Include takes a list of files to include. Quoting and wildcards is +# supported. +# +# For example, +# +# include /path/to/included/file/squid.acl.config +# +# Includes can be nested up to a hard-coded depth of 16 levels. +# This arbitrary restriction is to prevent recursive include references +# from causing Squid entering an infinite loop whilst trying to load +# configuration files. # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- @@ -54,6 +65,8 @@ # proxy as the client then thinks it is talking to an origin server and # not the proxy. This is a limitation of bending the TCP/IP protocol to # transparently intercepting port 80, not a limitation in Squid. +# Ports flagged 'transparent', 'intercept', or 'tproxy' have +# authentication disabled. # # === Parameters for the basic scheme follow. === # @@ -62,7 +75,8 @@ # reads a line containing "username password" and replies "OK" or # "ERR" in an endless loop. "ERR" responses may optionally be followed # by a error description available as %m in the returned error page. -# If you use an authenticator, make sure you have 1 acl of type proxy_auth. +# If you use an authenticator, make sure you have 1 acl of type +# proxy_auth. # # By default, the basic authentication scheme is not used unless a # program is specified. @@ -72,6 +86,12 @@ # # auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd # +# "utf8" on|off +# HTTP uses iso-latin-1 as characterset, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. +# # "children" numberofchildren # The number of authenticator processes to spawn. If you start too few # Squid will have to wait for them to process a backlog of credential @@ -132,7 +152,13 @@ # If you want to use a digest authenticator, set this line to # something like # -# auth_param digest program /usr/bin/digest_auth_pw /usr/etc/digpass +# auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass +# +# "utf8" on|off +# HTTP uses iso-latin-1 as characterset, while some authentication +# backends such as LDAP expects UTF-8. If this is set to on Squid will +# translate the HTTP iso-latin-1 charset to UTF-8 before sending the +# username & password to the helper. # # "children" numberofchildren # The number of authenticator processes to spawn (no default). @@ -217,9 +243,9 @@ # the Microsoft Internet Explorer or Mozilla Firefox browsers. # Its main purpose is to exchange credentials with the Squid proxy # using the Kerberos mechanisms. -# If you use a Negotiate authenticator, make sure you have at least one acl -# of type proxy_auth active. By default, the negotiate authenticator_program -# is not used. +# If you use a Negotiate authenticator, make sure you have at least +# one acl of type proxy_auth active. By default, the negotiate +# authenticator_program is not used. # The only supported program for this role is the ntlm_auth # program distributed as part of Samba, version 4 or later. # @@ -243,30 +269,37 @@ # # auth_param negotiate keep_alive on # -#Recommended minimum configuration per scheme: -#auth_param negotiate program -#auth_param negotiate children 5 -#auth_param negotiate keep_alive on -#auth_param ntlm program -#auth_param ntlm children 5 -#auth_param ntlm keep_alive on -#auth_param digest program -#auth_param digest children 5 -#auth_param digest realm Squid proxy-caching web server -#auth_param digest nonce_garbage_interval 5 minutes -#auth_param digest nonce_max_duration 30 minutes -#auth_param digest nonce_max_count 50 -#auth_param basic program -#auth_param basic children 5 -#auth_param basic realm Squid proxy-caching web server -#auth_param basic credentialsttl 2 hours +# +# Examples: +# +##Recommended minimum configuration per scheme: +##auth_param negotiate program +##auth_param negotiate children 5 +##auth_param negotiate keep_alive on +## +##auth_param ntlm program +##auth_param ntlm children 5 +##auth_param ntlm keep_alive on +## +##auth_param digest program +##auth_param digest children 5 +##auth_param digest realm Squid proxy-caching web server +##auth_param digest nonce_garbage_interval 5 minutes +##auth_param digest nonce_max_duration 30 minutes +##auth_param digest nonce_max_count 50 +## +##auth_param basic program +##auth_param basic children 5 +##auth_param basic realm Squid proxy-caching web server +##auth_param basic credentialsttl 2 hours +#Default: +# none # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. # This is a tradeoff between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. -# #Default: # authenticate_cache_garbage_interval 1 hour @@ -275,7 +308,6 @@ # user cache since their last request. When the garbage # interval passes, all user credentials that have passed their # TTL are removed from memory. -# #Default: # authenticate_ttl 1 hour @@ -287,11 +319,9 @@ # quickly, as is the case with dialups. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. -# #Default: # authenticate_ip_ttl 0 seconds - # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -317,6 +347,9 @@ # cached entry should be initiated without needing to # wait for a new reply. (default 0 for no grace period) # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# ipv4 / ipv6 IP-mode used to communicate to this helper. +# For compatability with older configurations and helpers +# the default is currently 'ipv4'. # # FORMAT specifications # @@ -338,13 +371,23 @@ # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx # %USER_CA_xx SSL User certificate issuer attribute xx -# %{Header} HTTP request header -# %{Hdr:member} HTTP request header list member -# %{Hdr:;member} +# +# %>{Header} HTTP request header "Header" +# %>{Hdr:member} +# HTTP request header "Hdr" list member "member" +# %>{Hdr:;member} # HTTP request header list member using ; as # list separator. ; can be any non-alphanumeric # character. # +# %<{Header} HTTP reply header "Header" +# %<{Hdr:member} +# HTTP reply header "Hdr" list member "member" +# %<{Hdr:;member} +# HTTP reply header list member using ; as +# list separator. ; can be any non-alphanumeric +# character. +# # In addition to the above, any string specified in the referencing # acl will also be included in the helper request line, after the # specified formats (see the "acl external" directive) @@ -379,75 +422,65 @@ # When using the concurrency= option the protocol is changed by # introducing a query channel tag infront of the request/response. # The query channel tag is a number between 0 and concurrency-1. -# #Default: # none # TAG: acl # Defining an Access List # -# acl aclname acltype string1 ... -# acl aclname acltype "file" ... +# Every access list definition must begin with an aclname and acltype, +# followed by either type-specific arguments or a quoted filename that +# they are read from. # -# when using "file", the file should contain one item per line +# acl aclname acltype argument ... +# acl aclname acltype "file" ... # -# acltype is one of the types described below +# When using "file", the file should contain one item per line. # # By default, regular expressions are CASE-SENSITIVE. To make # them case-insensitive, use the -i option. # -# acl aclname src ip-address/netmask ... (clients IP address) -# acl aclname src addr1-addr2/netmask ... (range of addresses) -# acl aclname dst ip-address/netmask ... (URL host's IP address) -# acl aclname myip ip-address/netmask ... (local socket IP address) +# Some acl types require suspending the current request in order +# to access some external data source. +# Those which do are marked with the tag [slow], those which +# don't are marked as [fast]. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl +# for further information +# +# ***** ACL TYPES AVAILABLE ***** +# +# acl aclname src ip-address/netmask ... # clients IP address [fast] +# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] +# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] +# acl aclname myip ip-address/netmask ... # local socket IP address [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # # The arp ACL requires the special configure option --enable-arp-acl. # # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants. +# # It works on Linux, Solaris, Windows, FreeBSD, and some +# # other *BSD variants. +# # [fast] # # # # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, then Squid cannot -# # find out its MAC address. +# # the same subnet. If the client is on a different subnet, +# # then Squid cannot find out its MAC address. # -# acl aclname srcdomain .foo.com ... # reverse lookup, client IP -# acl aclname dstdomain .foo.com ... # Destination server from URL -# acl aclname srcdom_regex [-i] xxx ... # regex matching client name -# acl aclname dstdom_regex [-i] xxx ... # regex matching server +# acl aclname srcdomain .foo.com ... +# # reverse lookup, from client IP [slow] +# acl aclname dstdomain .foo.com ... +# # Destination server from URL [fast] +# acl aclname srcdom_regex [-i] \.foo\.com ... +# # regex matching client name [slow] +# acl aclname dstdom_regex [-i] \.foo\.com ... +# # regex matching server [fast] +# # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # # based URL is used and no match is found. The name "none" is used # # if the reverse lookup fails. # -# acl aclname http_status 200 301 500- 400-403 ... # status code in reply -# -# acl aclname time [day-abbrevs] [h1:m1-h2:m2] -# day-abbrevs: -# S - Sunday -# M - Monday -# T - Tuesday -# W - Wednesday -# H - Thursday -# F - Friday -# A - Saturday -# h1:m1 must be less than h2:m2 -# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL -# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path -# acl aclname port 80 70 21 ... -# acl aclname port 0-1024 ... # ranges allowed -# acl aclname myport 3128 ... # (local socket TCP port) -# acl aclname proto HTTP FTP ... -# acl aclname method GET POST ... -# acl aclname browser [-i] regexp ... -# # pattern match on User-Agent header (see also req_header below) -# acl aclname referer_regex [-i] regexp ... -# # pattern match on Referer header -# # Referer is highly unreliable, so use with care -# acl aclname ident username ... -# acl aclname ident_regex [-i] pattern ... -# # string match on ident output. -# # use REQUIRED to accept any non-null ident. -# acl aclname src_as number ... -# acl aclname dst_as number ... +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # [fast] # # Except for access control, AS numbers can be used for # # routing of requests to specific caches. Here's an # # example for routing all requests for AS#1241 and only @@ -456,11 +489,63 @@ # # cache_peer_access mycache.mydomain.net allow asexample # # cache_peer_access mycache_mydomain.net deny all # +# acl aclname peername myPeer ... +# # [fast] +# # match against a named cache_peer entry +# # set unique name= on cache_peer lines for reliable use. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# # [fast] +# # day-abbrevs: +# # S - Sunday +# # M - Monday +# # T - Tuesday +# # W - Wednesday +# # H - Thursday +# # F - Friday +# # A - Saturday +# # h1:m1 must be less than h2:m2 +# +# acl aclname url_regex [-i] ^http:// ... +# # regex matching on whole URL [fast] +# acl aclname urlpath_regex [-i] \.gif$ ... +# # regex matching on URL path [fast] +# +# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] +# # ranges are alloed +# acl aclname myport 3128 ... # local socket TCP port [fast] +# acl aclname myportname 3128 ... # http(s)_port name [fast] +# +# acl aclname proto HTTP FTP ... # request protocol [fast] +# +# acl aclname method GET POST ... # HTTP request method [fast] +# +# acl aclname http_status 200 301 500- 400-403 ... +# # status code in reply [fast] +# +# acl aclname browser [-i] regexp ... +# # pattern match on User-Agent header (see also req_header below) [fast] +# +# acl aclname referer_regex [-i] regexp ... +# # pattern match on Referer header [fast] +# # Referer is highly unreliable, so use with care +# +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output [slow] +# # use REQUIRED to accept any non-null ident. +# # acl aclname proxy_auth [-i] username ... # acl aclname proxy_auth_regex [-i] pattern ... -# # list of valid usernames +# # perform http authentication challenge to the client and match against +# # supplied credentials [slow] +# # +# # takes a list of allowed usernames. # # use REQUIRED to accept any valid username. # # +# # Will use proxy authentication in forward-proxy scenarios, and plain +# # http authenticaiton in reverse-proxy scenarios +# # # # NOTE: when a Proxy-Authentication header is sent but it is not # # needed during ACL checking the username is NOT logged # # in access.log. @@ -469,24 +554,24 @@ # # to check username/password combinations (see # # auth_param directive). # # -# # NOTE: proxy_auth can't be used in a transparent proxy as -# # the browser needs to be configured for using a proxy in order +# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy +# # as the browser needs to be configured for using a proxy in order # # to respond to proxy authentication. # # acl aclname snmp_community string ... -# # A community string to limit access to your SNMP Agent +# # A community string to limit access to your SNMP Agent [fast] # # Example: # # # # acl snmppublic snmp_community public # # acl aclname maxconn number # # This will be matched when the client's IP address has -# # more than HTTP connections established. +# # more than HTTP connections established. [fast] # # acl aclname max_user_ip [-s] number # # This will be matched when the user attempts to log in from more # # than different ip addresses. The authenticate_ip_ttl -# # parameter controls the timeout on the ip entries. +# # parameter controls the timeout on the ip entries. [fast] # # If -s is specified the limit is strict, denying browsing # # from any further IP addresses until the ttl has expired. Without # # -s Squid will just annoy the user by "randomly" denying requests. @@ -496,22 +581,22 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # -# acl aclname req_mime_type mime-type1 ... +# acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some -# # types HTTP tunneling requests. +# # types HTTP tunneling requests [fast] # # NOTE: This does NOT match the reply. You cannot use this # # to match the returned file type. # # acl aclname req_header header-name [-i] any\.regex\.here # # regex match against any of the known request headers. May be # # thought of as a superset of "browser", "referer" and "mime-type" -# # ACLs. +# # ACL [fast] # -# acl aclname rep_mime_type mime-type1 ... +# acl aclname rep_mime_type [-i] mime-type ... # # regex match against the mime type of the reply received by # # squid. Can be used to detect file download or some -# # types HTTP tunneling requests. +# # types HTTP tunneling requests. [fast] # # NOTE: This has no effect in http_access rules. It only has # # effect in rules that affect the reply data stream such as # # http_reply_access. @@ -519,47 +604,54 @@ # acl aclname rep_header header-name [-i] any\.regex\.here # # regex match against any of the known reply headers. May be # # thought of as a superset of "browser", "referer" and "mime-type" -# # ACLs. +# # ACLs [fast] # -# acl acl_name external class_name [arguments...] +# acl aclname external class_name [arguments...] # # external ACL lookup via a helper class defined by the -# # external_acl_type directive. +# # external_acl_type directive [slow] # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST +# # attribute is one of DN/C/O/CN/L/ST [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST +# # attribute is one of DN/C/O/CN/L/ST [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... -# # string match on username returned by external acl helper +# # string match on username returned by external acl helper [slow] # # use REQUIRED to accept any non-null user name. # -#Examples: -#acl macaddress arp 09:00:2b:23:45:67 -#acl myexample dst_as 1241 -#acl password proxy_auth REQUIRED -#acl fileupload req_mime_type -i ^multipart/form-data$ -#acl javascript rep_mime_type -i ^application/x-javascript$ +# acl aclname tag tagvalue ... +# # string match on tag returned by external acl helper [slow] +# +# Examples: +# acl macaddress arp 09:00:2b:23:45:67 +# acl myexample dst_as 1241 +# acl password proxy_auth REQUIRED +# acl fileupload req_mime_type -i ^multipart/form-data$ +# acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: # acl all src all # -#Recommended minimum configuration: -acl manager proto cache_object -acl localhost src 127.0.0.1/32 -acl to_localhost dst 127.0.0.0/8 # +# Recommended minimum configuration: +# +acl manager proto cache_object +acl localhost src 127.0.0.1/32 ::1 +acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 + # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -# +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp @@ -573,6 +665,77 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: follow_x_forwarded_for +# Allowing or Denying the X-Forwarded-For header to be followed to +# find the original source of a request. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The X-Forwarded-For header will contain a +# comma-separated list of the IP addresses in the chain, with the +# rightmost address being the most recent. +# +# If a request reaches us from a source that is allowed by this +# configuration item, then we consult the X-Forwarded-For header +# to see where that host received the request from. If the +# X-Forwarded-For header contains multiple addresses, we continue +# backtracking until we reach an address for which we are not allowed +# to follow the X-Forwarded-For header, or until we reach the first +# address in the list. For the purpose of ACL used in the +# follow_x_forwarded_for directive the src ACL type always matches +# the address we are testing and srcdomain matches its rDNS. +# +# The end result of this process is an IP address that we will +# refer to as the indirect client address. This address may +# be treated as the client address for access control, ICAP, delay +# pools and logging, depending on the acl_uses_indirect_client, +# icap_uses_indirect_client, delay_pool_uses_indirect_client and +# log_uses_indirect_client options. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# SECURITY CONSIDERATIONS: +# +# Any host for which we follow the X-Forwarded-For header +# can place incorrect information in the header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# For example: +# +# acl localhost src 127.0.0.1 +# acl my_other_proxy srcdomain .proxy.example.com +# follow_x_forwarded_for allow localhost +# follow_x_forwarded_for allow my_other_proxy +#Default: +# follow_x_forwarded_for deny all + +# TAG: acl_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in acl matching. +#Default: +# acl_uses_indirect_client on + +# TAG: delay_pool_uses_indirect_client on|off +# Note: This option is only available if Squid is rebuilt with the +# --enable-follow-x-forwarded-for and --enable-delay-pools option +# +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in delay pools. +#Default: +# delay_pool_uses_indirect_client on + +# TAG: log_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address in the access log. +#Default: +# log_uses_indirect_client on + # TAG: http_access # Allowing or Denying access based on defined access lists # @@ -588,37 +751,58 @@ acl CONNECT method CONNECT # opposite of the last line in the list. If the last line was # deny, the default is allow. Conversely, if the last line # is allow, the default will be deny. For these reasons, it is a -# good idea to have an "deny all" or "allow all" entry at the end -# of your access lists to avoid potential confusion. +# good idea to have an "deny all" entry at the end of your access +# lists to avoid potential confusion. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: # http_access deny all # -#Recommended minimum configuration: + +# +# Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager -# Deny requests to unknown ports + +# Deny requests to certain unsafe ports http_access deny !Safe_ports -# Deny CONNECT to other than SSL ports + +# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports -# + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost + # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet +http_access allow localhost # And finally deny all other access to this proxy http_access deny all +# TAG: adapted_http_access +# Allowing or Denying access based on defined access lists +# +# Essentially identical to http_access, but runs after redirectors +# and ICAP/eCAP adaptation. Allowing access control based on their +# output. +# +# If not set then only http_access is used. +#Default: +# none + # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. # @@ -631,6 +815,8 @@ http_access deny all # last line will apply. Thus it is good practice to end the rules # with an "allow all" or "deny all" entry. # +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: # none @@ -676,10 +862,12 @@ htcp_access deny all # # See http_access for details # -##Allow HTCP CLR requests from trusted peers +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP CLR requests from trusted peers #acl htcp_clr_peer src 172.16.1.2 #htcp_clr_access allow htcp_clr_peer -# #Default: # htcp_clr_access deny all @@ -697,7 +885,9 @@ htcp_access deny all # By default, allow all clients who passed the http_access rules # to fetch MISSES from us. # -#Default setting: +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: # miss_access allow all # TAG: ident_lookup_access @@ -711,14 +901,16 @@ htcp_access deny all # To enable ident lookups for specific client addresses, you # can follow this example: # -# acl ident_aware_hosts src 198.168.1.0/255.255.255.0 +# acl ident_aware_hosts src 198.168.1.0/24 # ident_lookup_access allow ident_aware_hosts # ident_lookup_access deny all # -# Only src type ACL checks are fully supported. A src_domain +# Only src type ACL checks are fully supported. A srcdomain # ACL might work at times, but it will not always provide # the correct result. # +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: # ident_lookup_access deny all @@ -751,10 +943,14 @@ htcp_access deny all # If you set this parameter none (the default), there will be # no limit imposed. # +# Configuration Format is: +# reply_body_max_size SIZE UNITS [acl ...] +# ie. +# reply_body_max_size 10 MB +# #Default: # none - # NETWORK OPTIONS # ----------------------------------------------------------------------------- @@ -783,15 +979,21 @@ htcp_access deny all # # Options: # -# transparent Support for transparent interception of +# intercept Support for IP-Layer interception of # outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. # # tproxy Support Linux TPROXY for spoofing outgoing # connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. # # accel Accelerator mode. Also needs at least one of # vhost / vport / defaultsite. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# # defaultsite=domainname # What to use for the Host: header if it is not present # in a request. Determines what site (not origin server) @@ -810,6 +1012,16 @@ htcp_access deny all # protocol= Protocol to reconstruct accelerated requests with. # Defaults to http. # +# ignore-cc Ignore request Cache-Control headers. +# +# Warning: This option violates HTTP specifications if +# used in non-accelerator setups. +# +# connection-auth[=on|off] +# use connection-auth=off to tell Squid to prevent +# forwarding Microsoft connection oriented authentication +# (NTLM, Negotiate and Kerberos) +# # disable-pmtu-discovery= # Control Path-MTU discovery usage: # off lets OS decide on what to do (default). @@ -826,11 +1038,38 @@ htcp_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # +# sslBump Intercept each CONNECT request matching ssl_bump ACL, +# establish secure connection with the client and with +# the server, decrypt HTTP messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# When this option is enabled, additional options become +# available to specify SSL-related properties of the +# client-side connection: cert, key, version, cipher, +# options, clientca, cafile, capath, crlfile, dhparams, +# sslflags, and sslcontext. See the https_port directive +# for more information on these options. +# +# The ssl_bump option is required to fully enable +# the SslBump feature. +# +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) +# +# tcpkeepalive[=idle,interval,timeout] +# Enable TCP keepalive probes of idle connections. +# In seconds; idle is the initial time before TCP starts +# probing the connection, interval how often to probe, and +# timeout the time before giving up. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be # visible on the internal address. # +# + # Squid normally listens to port 3128 http_port 3128 @@ -933,6 +1172,8 @@ http_port 3128 # vport=NN As above, but uses specified port number rather # than the https_port number. Implies accel. # +# name= Specifies a internal name for the port. Defaults to +# the port specification (port or addr:port) # #Default: # none @@ -945,7 +1186,7 @@ http_port 3128 # tcp_outgoing_tos ds-field [!]aclname ... # # Example where normal_service_net uses the TOS value 0x00 -# and normal_service_net uses 0x20 +# and good_service_net uses 0x20 # # acl normal_service_net src 10.0.0.0/255.255.255.0 # acl good_service_net src 10.0.1.0/255.255.255.0 @@ -953,8 +1194,8 @@ http_port 3128 # tcp_outgoing_tos 0x20 good_service_net # # TOS/DSCP values really only have local significance - so you should -# know what you're specifying. For more information, see RFC2474 and -# RFC3260. +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or # "default" to use whatever default your host has. Note that in @@ -968,7 +1209,6 @@ http_port 3128 # incompatible with the use of server side persistent connections. To # ensure correct results it is best to set server_persisten_connections # to off when using this directive in such configurations. -# #Default: # none @@ -976,6 +1216,50 @@ http_port 3128 # Allows you to select a TOS/Diffserv value to mark client-side # connections with, based on the username or source address # making the request. +#Default: +# none + +# TAG: qos_flows +# Note: This option is only available if Squid is rebuilt with the +# --enable-zph-qos option +# +# Allows you to select a TOS/DSCP value to mark outgoing +# connections with, based on where the reply was sourced. +# +# TOS values really only have local significance - so you should +# know what you're specifying. For more information, see RFC2474, +# RFC2475, and RFC3260. +# +# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. +# Note that in practice often only values up to 0x3F are usable +# as the two highest bits have been redefined for use by ECN +# (RFC3168). +# +# This setting is configured by setting the source TOS values: +# +# local-hit=0xFF Value to mark local cache hits. +# +# sibling-hit=0xFF Value to mark hits from sibling peers. +# +# parent-hit=0xFF Value to mark hits from parent peers. +# +# +# NOTE: 'miss' preserve feature is only possible on Linux at this time. +# +# For the following to work correctly, you will need to patch your +# linux kernel with the TOS preserving ZPH patch. +# The kernel patch can be downloaded from http://zph.bratcheda.org +# +# disable-preserve-miss +# By default, the existing TOS value of the response coming +# from the remote server will be retained and masked with +# miss-mark. This option disables that feature. +# +# miss-mask=0xFF +# Allows you to mask certain bits in the TOS received from the +# remote server, before copying the value to the TOS sent +# towards clients. +# Default: 0xFF (TOS from server is not changed). # #Default: # none @@ -992,11 +1276,11 @@ http_port 3128 # source address 10.1.0.2 and the rest will be forwarded with # source address 10.1.0.3. # -# acl normal_service_net src 10.0.0.0/255.255.255.0 -# acl good_service_net src 10.0.1.0/255.255.255.0 -# tcp_outgoing_address 10.0.0.1 normal_service_net -# tcp_outgoing_address 10.0.0.2 good_service_net -# tcp_outgoing_address 10.0.0.3 +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 +# tcp_outgoing_address 10.1.0.1 normal_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net +# tcp_outgoing_address 10.1.0.3 # # Processing proceeds in the order specified, and stops at first fully # matching line. @@ -1006,10 +1290,43 @@ http_port 3128 # ensure correct results it is best to set server_persistent_connections # to off when using this directive in such configurations. # +# +# IPv6 Magic: +# +# Squid is built with a capability of bridging the IPv4 and IPv6 +# internets. +# tcp_outgoing_address as exampled above breaks this bridging by forcing +# all outbound traffic through a certain IPv4 which may be on the wrong +# side of the IPv4/IPv6 boundary. +# +# To operate with tcp_outgoing_address and keep the bridging benefits +# an additional ACL needs to be used which ensures the IPv6-bound traffic +# is never forced or permitted out the IPv4 interface. +# +# acl to_ipv6 dst ipv6 +# tcp_outgoing_address 2002::c001 good_service_net to_ipv6 +# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# +# tcp_outgoing_address 2002::beef normal_service_net to_ipv6 +# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# +# tcp_outgoing_address 2002::1 to_ipv6 +# tcp_outgoing_address 10.1.0.3 !to_ipv6 +# +# WARNING: +# 'dst ipv6' bases its selection assuming DIRECT access. +# If peers are used the peername ACL are needed to select outgoing +# address which can link to the peer. +# +# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used +# previously in the http_access rules to locate the destination IP. +# Some more magic may be needed for that: +# http_access allow to_ipv6 !all +# (meaning, allow if to IPv6 but not from anywhere ;) +# #Default: # none - # SSL OPTIONS # ----------------------------------------------------------------------------- @@ -1019,7 +1336,6 @@ http_port 3128 # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. -# #Default: # ssl_unclean_shutdown off @@ -1029,7 +1345,6 @@ http_port 3128 # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. -# #Default: # none @@ -1038,7 +1353,6 @@ http_port 3128 # --enable-ssl option # # Client SSL Certificate to use when proxying https:// URLs -# #Default: # none @@ -1047,7 +1361,6 @@ http_port 3128 # --enable-ssl option # # Client SSL Key to use when proxying https:// URLs -# #Default: # none @@ -1056,7 +1369,6 @@ http_port 3128 # --enable-ssl option # # SSL version level to use when proxying https:// URLs -# #Default: # sslproxy_version 1 @@ -1065,7 +1377,19 @@ http_port 3128 # --enable-ssl option # # SSL engine options to use when proxying https:// URLs +# +# The most important being: # +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# These options vary depending on your SSL engine. +# See the OpenSSL SSL_CTX_set_options documentation for a +# complete list of possible options. #Default: # none @@ -1075,6 +1399,7 @@ http_port 3128 # # SSL cipher list to use when proxying https:// URLs # +# Colon separated list of supported ciphers. #Default: # none @@ -1084,7 +1409,6 @@ http_port 3128 # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs -# #Default: # none @@ -1094,7 +1418,35 @@ http_port 3128 # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl option # +# This ACL controls which CONNECT requests to an http_port +# marked with an sslBump flag are actually "bumped". Please +# see the sslBump flag of an http_port option for more details +# about decoding proxied SSL connections. +# +# By default, no requests are bumped. +# +# See also: http_port sslBump +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# +# # Example: Bump all requests except those originating from localhost and +# # those going to webax.com or example.com sites. +# +# acl localhost src 127.0.0.1/32 +# acl broken_sites dstdomain .webax.com +# acl broken_sites dstdomain .example.com +# ssl_bump deny localhost +# ssl_bump deny broken_sites +# ssl_bump allow all #Default: # none @@ -1103,11 +1455,39 @@ http_port 3128 # --enable-ssl option # # Various flags modifying the use of SSL while proxying https:// URLs: -# DONT_VERIFY_PEER Accept certificates even if they fail to -# verify. +# DONT_VERIFY_PEER Accept certificates that fail verification. +# For refined control, see sslproxy_cert_error. # NO_DEFAULT_CA Don't use the default CA list built in # to OpenSSL. +#Default: +# none + +# TAG: sslproxy_cert_error +# Note: This option is only available if Squid is rebuilt with the +# --enable-ssl option # +# Use this ACL to bypass server certificate validation errors. +# +# For example, the following lines will bypass all validation errors +# when talking to servers located at 172.16.0.0/16. All other +# validation errors will result in ERR_SECURE_CONNECT_FAIL error. +# +# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 +# sslproxy_cert_error allow BrokenServersAtTrustedIP +# sslproxy_cert_error deny all +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Using slow acl types may result in server crashes +# +# Without this option, all server certificate validation errors +# terminate the transaction. Bypassing validation errors is dangerous +# because an error usually implies that the server cannot be trusted and +# the connection may be insecure. +# +# See also: sslproxy_flags and DONT_VERIFY_PEER. +# +# Default setting: sslproxy_cert_error deny all #Default: # none @@ -1119,254 +1499,265 @@ http_port 3128 # when using encrypted SSL certificate keys. If not specified # keys must either be unencrypted, or Squid started with the -N # option to allow it to query interactively for the passphrase. -# #Default: # none - # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- # TAG: cache_peer # To specify other caches in a hierarchy, use the format: -# +# # cache_peer hostname type http-port icp-port [options] -# +# # For example, -# +# # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- -# cache_peer parent.foo.net parent 3128 3130 proxy-only default +# cache_peer parent.foo.net parent 3128 3130 default # cache_peer sib1.foo.net sibling 3128 3130 proxy-only # cache_peer sib2.foo.net sibling 3128 3130 proxy-only +# cache_peer example.com parent 80 0 no-query default +# cache_peer cdn.example.com sibling 3128 0 +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy-port: The port number where the peer accept HTTP requests. +# For other Squid proxies this is usually 3128 +# For web servers this is usually 80 +# +# icp-port: Used for querying neighbor caches about objects. +# Set to 0 if the peer does not support ICP or HTCP. +# See ICP and HTCP options below for additional details. +# +# +# ==== ICP OPTIONS ==== +# +# You MUST also set icp_port and icp_access explicitly when using these options. +# The defaults will prevent peer traffic using ICP. +# +# +# no-query Disable ICP queries to this neighbor. +# +# multicast-responder +# Indicates the named peer is a member of a multicast group. +# ICP queries will not be sent directly to the peer, but ICP +# replies will be accepted from it. +# +# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward +# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. +# +# background-ping +# To only send ICP queries to this neighbor infrequently. +# This is used to keep the neighbor round trip time updated +# and is usually used in conjunction with weighted-round-robin. +# +# +# ==== HTCP OPTIONS ==== +# +# You MUST also set htcp_port and htcp_access explicitly when using these options. +# The defaults will prevent peer traffic using HTCP. +# +# +# htcp Send HTCP, instead of ICP, queries to the neighbor. +# You probably also want to set the "icp-port" to 4827 +# instead of 3130. +# +# htcp-oldsquid Send HTCP to old Squid versions. +# +# htcp-no-clr Send HTCP to the neighbor but without +# sending any CLR requests. This cannot be used with +# htcp-only-clr. +# +# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with htcp-no-clr. +# +# htcp-no-purge-clr +# Send HTCP to the neighbor including CLRs but only when +# they do not result from PURGE requests. +# +# htcp-forward-clr +# Forward any HTCP CLR requests this proxy receives to the peer. +# +# +# ==== PEER SELECTION METHODS ==== +# +# The default peer selection method is ICP, with the first responding peer +# being used as source. These options can be used for better load balancing. +# +# +# default This is a parent cache which can be used as a "last-resort" +# if a peer cannot be located by any of the peer-selection methods. +# If specified more than once, only the first is used. +# +# round-robin Load-Balance parents which should be used in a round-robin +# fashion in the absence of any ICP queries. +# weight=N can be used to add bias. +# +# weighted-round-robin +# Load-Balance parents which should be used in a round-robin +# fashion with the frequency of each parent being based on the +# round trip time. Closer parents are used more often. +# Usually used for background-ping parents. +# weight=N can be used to add bias. +# +# carp Load-Balance parents which should be used as a CARP array. +# The requests will be distributed among the parents based on the +# CARP load balancing hash function based on their weight. +# +# userhash Load-balance parents based on the client proxy_auth or ident username. +# +# sourcehash Load-balance parents based on the client source IP. # -# type: either 'parent', 'sibling', or 'multicast'. -# -# proxy-port: The port number where the cache listens for proxy -# requests. -# -# icp-port: Used for querying neighbor caches about -# objects. To have a non-ICP neighbor -# specify '7' for the ICP port and make sure the -# neighbor machine has the UDP echo port -# enabled in its /etc/inetd.conf file. -# NOTE: Also requires icp_port option enabled to send/receive -# requests via this method. -# -# options: proxy-only -# weight=n -# basetime=n -# ttl=n -# no-query -# background-ping -# default -# round-robin -# weighted-round-robin -# carp -# multicast-responder -# closest-only -# no-digest -# no-netdb-exchange -# no-delay -# login=user:password | PASS | *:password -# connect-timeout=nn -# digest-url=url -# allow-miss -# max-conn=n -# htcp -# htcp-oldsquid -# originserver -# name=xxx -# forceddomain=name -# ssl -# sslcert=/path/to/ssl/certificate -# sslkey=/path/to/ssl/key -# sslversion=1|2|3|4 -# sslcipher=... -# ssloptions=... -# front-end-https[=on|auto] -# -# use 'proxy-only' to specify objects fetched -# from this cache should not be saved locally. -# -# use 'weight=n' to affect the selection of a peer -# during any weighted peer-selection mechanisms. -# The weight must be an integer; default is 1, -# larger weights are favored more. -# This option does not affect parent selection if a peering -# protocol is not in use. -# -# use 'basetime=n' to specify a base amount to -# be subtracted from round trip times of parents. -# It is subtracted before division by weight in calculating -# which parent to fectch from. If the rtt is less than the -# base time the rtt is set to a minimal value. -# -# use 'ttl=n' to specify a IP multicast TTL to use -# when sending an ICP queries to this address. -# Only useful when sending to a multicast group. -# Because we don't accept ICP replies from random -# hosts, you must configure other group members as -# peers with the 'multicast-responder' option below. -# -# use 'no-query' to NOT send ICP queries to this -# neighbor. -# -# use 'background-ping' to only send ICP queries to this -# neighbor infrequently. This is used to keep the neighbor -# round trip time updated and is usually used in -# conjunction with weighted-round-robin. -# -# use 'default' if this is a parent cache which can -# be used as a "last-resort" if a peer cannot be located -# by any of the peer-selection mechanisms. -# If specified more than once, only the first is used. -# -# use 'round-robin' to define a set of parents which -# should be used in a round-robin fashion in the -# absence of any ICP queries. -# -# use 'weighted-round-robin' to define a set of parents -# which should be used in a round-robin fashion with the -# frequency of each parent being based on the round trip -# time. Closer parents are used more often. -# Usually used for background-ping parents. -# -# use 'carp' to define a set of parents which should -# be used as a CARP array. The requests will be -# distributed among the parents based on the CARP load -# balancing hash function based on their weight. -# -# 'multicast-responder' indicates the named peer -# is a member of a multicast group. ICP queries will -# not be sent directly to the peer, but ICP replies -# will be accepted from it. -# -# 'closest-only' indicates that, for ICP_OP_MISS -# replies, we'll only forward CLOSEST_PARENT_MISSes -# and never FIRST_PARENT_MISSes. -# -# use 'no-digest' to NOT request cache digests from -# this neighbor. -# -# 'no-netdb-exchange' disables requesting ICMP -# RTT database (NetDB) from the neighbor. -# -# use 'no-delay' to prevent access to this neighbor -# from influencing the delay pools. -# -# use 'login=user:password' if this is a personal/workgroup -# proxy and your parent requires proxy authentication. -# Note: The string can include URL escapes (i.e. %20 for -# spaces). This also means % must be written as %%. -# -# use 'login=PASS' if users must authenticate against -# the upstream proxy or in the case of a reverse proxy -# configuration, the origin web server. This will pass -# the users credentials as they are to the peer. -# This only works for the Basic HTTP authentication scheme. -# Note: To combine this with proxy_auth both proxies must -# share the same user database as HTTP only allows for -# a single login (one for proxy, one for origin server). -# Also be warned this will expose your users proxy -# password to the peer. USE WITH CAUTION -# -# use 'login=*:password' to pass the username to the -# upstream cache, but with a fixed password. This is meant -# to be used when the peer is in another administrative -# domain, but it is still needed to identify each user. -# The star can optionally be followed by some extra -# information which is added to the username. This can -# be used to identify this proxy to the peer, similar to -# the login=username:password option above. -# -# use 'connect-timeout=nn' to specify a peer -# specific connect timeout (also see the -# peer_connect_timeout directive) -# -# use 'digest-url=url' to tell Squid to fetch the cache -# digest (if digests are enabled) for this host from -# the specified URL rather than the Squid default -# location. -# -# use 'allow-miss' to disable Squid's use of only-if-cached -# when forwarding requests to siblings. This is primarily -# useful when icp_hit_stale is used by the sibling. To -# extensive use of this option may result in forwarding -# loops, and you should avoid having two-way peerings -# with this option. (for example to deny peer usage on -# requests from peer by denying cache_peer_access if the -# source is a peer) -# -# use 'max-conn=n' to limit the amount of connections Squid -# may open to this peer. -# -# use 'htcp' to send HTCP, instead of ICP, queries -# to the neighbor. You probably also want to -# set the "icp port" to 4827 instead of 3130. -# You MUST also set htcp_access expicitly. The default of -# deny all will prevent peer traffic. -# -# use 'htcp-oldsquid' to send HTCP to old Squid versions -# You MUST also set htcp_access expicitly. The default of -# deny all will prevent peer traffic. -# -# 'originserver' causes this parent peer to be contacted as -# a origin server. Meant to be used in accelerator setups. -# -# use 'name=xxx' if you have multiple peers on the same -# host but different ports. This name can be used to -# differentiate the peers in cache_peer_access and similar -# directives. -# -# use 'forceddomain=name' to forcibly set the Host header -# of requests forwarded to this peer. Useful in accelerator -# setups where the server (peer) expects a certain domain -# name and using redirectors to feed this domain name -# is not feasible. -# -# use 'ssl' to indicate connections to this peer should -# be SSL/TLS encrypted. -# -# use 'sslcert=/path/to/ssl/certificate' to specify a client -# SSL certificate to use when connecting to this peer. -# -# use 'sslkey=/path/to/ssl/key' to specify the private SSL -# key corresponding to sslcert above. If 'sslkey' is not -# specified 'sslcert' is assumed to reference a -# combined file containing both the certificate and the key. -# -# use sslversion=1|2|3|4 to specify the SSL version to use -# when connecting to this peer -# 1 = automatic (default) -# 2 = SSL v2 only -# 3 = SSL v3 only -# 4 = TLS v1 only -# -# use sslcipher=... to specify the list of valid SSL ciphers -# to use when connecting to this peer. -# -# use ssloptions=... to specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. -# -# use sslcafile=... to specify a file containing -# additional CA certificates to use when verifying the -# peer certificate. -# -# use sslcapath=... to specify a directory containing -# additional CA certificates to use when verifying the -# peer certificate. -# -# use sslcrlfile=... to specify a certificate revocation -# list file to use when verifying the peer certificate. -# -# use sslflags=... to specify various flags modifying the -# SSL implementation: +# multicast-siblings +# To be used only for cache peers of type "multicast". +# ALL members of this multicast group have "sibling" +# relationship with it, not "parent". This is to a mulicast +# group when the requested object would be fetched only from +# a "parent" cache, anyway. It's useful, e.g., when +# configuring a pool of redundant Squid proxies, being +# members of the same multicast group. +# +# +# ==== PEER SELECTION OPTIONS ==== +# +# weight=N use to affect the selection of a peer during any weighted +# peer-selection mechanisms. +# The weight must be an integer; default is 1, +# larger weights are favored more. +# This option does not affect parent selection if a peering +# protocol is not in use. +# +# basetime=N Specify a base amount to be subtracted from round trip +# times of parents. +# It is subtracted before division by weight in calculating +# which parent to fectch from. If the rtt is less than the +# base time the rtt is set to a minimal value. +# +# ttl=N Specify a IP multicast TTL to use when sending an ICP +# queries to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option. +# +# no-delay To prevent access to this neighbor from influencing the +# delay pools. +# +# digest-url=URL Tell Squid to fetch the cache digest (if digests are +# enabled) for this host from the specified URL rather +# than the Squid default location. +# +# +# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== +# +# originserver Causes this parent to be contacted as an origin server. +# Meant to be used in accelerator setups when the peer +# is a web server. +# +# forceddomain=name +# Set the Host header of requests forwarded to this peer. +# Useful in accelerator setups where the server (peer) +# expects a certain domain name but clients may request +# others. ie example.com or www.example.com +# +# no-digest Disable request of cache digests. +# +# no-netdb-exchange +# Disables requesting ICMP RTT database (NetDB). +# +# +# ==== AUTHENTICATION OPTIONS ==== +# +# login=user:password +# If this is a personal/workgroup proxy and your parent +# requires proxy authentication. +# +# Note: The string can include URL escapes (i.e. %20 for +# spaces). This also means % must be written as %%. +# +# login=PROXYPASS +# Send login details received from client to this peer. +# Authentication is not required, nor changed. +# +# Note: This will pass any form of authentication but +# only Basic auth will work through a proxy unless the +# connection-auth options are also used. +# +# login=PASS Send login details received from client to this peer. +# Authentication is not required by this option. +# If there are no client-provided authentication headers +# to pass on, but username and password are available +# from either proxy login or an external ACL user= and +# password= result tags they may be sent instead. +# +# Note: To combine this with proxy_auth both proxies must +# share the same user database as HTTP only allows for +# a single login (one for proxy, one for origin server). +# Also be warned this will expose your users proxy +# password to the peer. USE WITH CAUTION +# +# login=*:password +# Send the username to the upstream cache, but with a +# fixed password. This is meant to be used when the peer +# is in another administrative domain, but it is still +# needed to identify each user. +# The star can optionally be followed by some extra +# information which is added to the username. This can +# be used to identify this proxy to the peer, similar to +# the login=username:password option above. +# +# connection-auth=on|off +# Tell Squid that this peer does or not support Microsoft +# connection oriented authentication, and any such +# challenges received from there should be ignored. +# Default is auto to automatically determine the status +# of the peer. +# +# +# ==== SSL / HTTPS / TLS OPTIONS ==== +# +# ssl Encrypt connections to this peer with SSL/TLS. +# +# sslcert=/path/to/ssl/certificate +# A client SSL certificate to use when connecting to +# this peer. +# +# sslkey=/path/to/ssl/key +# The private SSL key corresponding to sslcert above. +# If 'sslkey' is not specified 'sslcert' is assumed to +# reference a combined file containing both the +# certificate and the key. +# +# sslversion=1|2|3|4 +# The SSL version to use when connecting to this peer +# 1 = automatic (default) +# 2 = SSL v2 only +# 3 = SSL v3 only +# 4 = TLS v1 only +# +# sslcipher=... The list of valid SSL ciphers to use when connecting +# to this peer. +# +# ssloptions=... Specify various SSL engine options: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1 +# See src/ssl_support.c or the OpenSSL documentation for +# a more complete list. +# +# sslcafile=... A file containing additional CA certificates to use +# when verifying the peer certificate. +# +# sslcapath=... A directory containing additional CA certificates to +# use when verifying the peer certificate. +# +# sslcrlfile=... A certificate revocation list file to use when +# verifying the peer certificate. +# +# sslflags=... Specify various flags modifying the SSL implementation: +# # DONT_VERIFY_PEER # Accept certificates even if they fail to # verify. @@ -1376,19 +1767,54 @@ http_port 3128 # DONT_VERIFY_DOMAIN # Don't verify the peer certificate # matches the server name -# -# use ssldomain= to specify the peer name as advertised -# in it's certificate. Used for verifying the correctness -# of the received peer certificate. If not specified the -# peer hostname will be used. -# -# use front-end-https to enable the "Front-End-Https: On" -# header needed when using Squid as a SSL frontend in front -# of Microsoft OWA. See MS KB document Q307347 for details -# on this header. If set to auto the header will -# only be added if the request is forwarded as a https:// -# URL. -# +# +# ssldomain= The peer name as advertised in it's certificate. +# Used for verifying the correctness of the received peer +# certificate. If not specified the peer hostname will be +# used. +# +# front-end-https +# Enable the "Front-End-Https: On" header needed when +# using Squid as a SSL frontend in front of Microsoft OWA. +# See MS KB document Q307347 for details on this header. +# If set to auto the header will only be added if the +# request is forwarded as a https:// URL. +# +# +# ==== GENERAL OPTIONS ==== +# +# connect-timeout=N +# A peer-specific connect timeout. +# Also see the peer_connect_timeout directive. +# +# connect-fail-limit=N +# How many times connecting to a peer must fail before +# it is marked as down. Default is 10. +# +# allow-miss Disable Squid's use of only-if-cached when forwarding +# requests to siblings. This is primarily useful when +# icp_hit_stale is used by the sibling. To extensive use +# of this option may result in forwarding loops, and you +# should avoid having two-way peerings with this option. +# For example to deny peer usage on requests from peer +# by denying cache_peer_access if the source is a peer. +# +# max-conn=N Limit the amount of connections Squid may open to this +# peer. see also +# +# name=xxx Unique name for the peer. +# Required if you have multiple peers on the same host +# but different ports. +# This name can be used in cache_peer_access and similar +# directives to dentify the peer. +# Can be used by outgoing access controls through the +# peername ACL type. +# +# no-tproxy Do not use the client-spoof TPROXY support when forwarding +# requests to this peer. Use normal address selection instead. +# +# proxy-only objects fetched from the peer will not be stored locally. +# #Default: # none @@ -1418,7 +1844,6 @@ http_port 3128 # * There are no defaults. # * There is also a 'cache_peer_access' tag in the ACL # section. -# #Default: # none @@ -1430,8 +1855,7 @@ http_port 3128 # # The syntax is identical to 'http_access' and the other lists of # ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). -# +# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). #Default: # none @@ -1449,7 +1873,6 @@ http_port 3128 # cache_peer cache.foo.org parent 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de -# #Default: # none @@ -1468,19 +1891,25 @@ http_port 3128 # your time between requests is greater than this timeout, you # will see a lot of requests sent DIRECT to origin servers # instead of to your parents. -# #Default: # dead_peer_timeout 10 seconds +# TAG: forward_max_tries +# Controls how many different forward paths Squid will try +# before giving up. See also forward_timeout. +#Default: +# forward_max_tries 10 + # TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. # Note: never_direct overrides this option. -#We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? +# +# We recommend you to use at least the following line. +hierarchy_stoplist cgi-bin ? # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -1515,29 +1944,25 @@ hierarchy_stoplist cgi-bin ? # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. -# #Default: -# cache_mem 8 MB +# cache_mem 256 MB # TAG: maximum_object_size_in_memory (bytes) # Objects greater than this size will not be attempted to kept in # the memory cache. This should be set high enough to keep objects # accessed frequently in memory to improve performance whilst low # enough to keep larger objects from hoarding cache_mem. -# #Default: -# maximum_object_size_in_memory 8 KB +# maximum_object_size_in_memory 512 KB # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # # See cache_replacement_policy for details. -# #Default: # memory_replacement_policy lru - # DISK CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -1575,7 +2000,6 @@ hierarchy_stoplist cgi-bin ? # For more information about the GDSF and LFUDA cache replacement # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. -# #Default: # cache_replacement_policy lru @@ -1653,6 +2077,10 @@ hierarchy_stoplist cgi-bin ? # # The coss store type: # +# NP: COSS filesystem in Squid-3 has been deemed too unstable for +# production use and has thus been removed from this release. +# We hope that it can be made usable again soon. +# # block-size=n defines the "block size" for COSS cache_dir's. # Squid uses file numbers as block numbers. Since file numbers # are limited to 24 bits, the block size determines the maximum @@ -1665,10 +2093,6 @@ hierarchy_stoplist cgi-bin ? # called 'stripe' in the directory names in the config - and # this will be created by squid -z. # -# The null store type: -# -# no options are allowed or required -# # Common options: # # no-store, no new objects should be stored to this cache_dir @@ -1684,11 +2108,10 @@ hierarchy_stoplist cgi-bin ? # option. # #Default: -cache_dir ufs /var/cache/squid/ 100 16 256 +cache_dir ufs /var/cache/squid/ 256 16 256 # TAG: store_dir_select_algorithm # Set this to 'round-robin' as an alternative. -# #Default: # store_dir_select_algorithm least-load @@ -1698,7 +2121,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # descriptors are open. # # A value of 0 indicates no limit. -# #Default: # max_open_disk_fds 0 @@ -1706,7 +2128,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # Objects smaller than this size will NOT be saved on disk. The # value is specified in kilobytes, and the default is 0 KB, which # means there is no minimum. -# #Default: # minimum_object_size 0 KB @@ -1721,7 +2142,6 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # NOTE: if using the LFUDA replacement policy you should increase # this value to maximize the byte hit rate improvement of LFUDA! # See replacement_policy below for a discussion of this policy. -# #Default: # maximum_object_size 4096 KB @@ -1738,12 +2158,10 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. -# #Default: # cache_swap_low 90 # cache_swap_high 95 - # LOGFILE OPTIONS # ----------------------------------------------------------------------------- @@ -1776,6 +2194,7 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # # Format codes: # +# % a literal % character # >a Client source IP address # >A Client FQDN # >p Client source port @@ -1785,39 +2204,98 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # ts Seconds since epoch # tu subsecond time (milliseconds) # tl Local time. Optional strftime format argument -# default %d/%b/%Y:%H:%M:%S %z +# default %d/%b/%Y:%H:%M:%S %z # tg GMT time. Optional strftime format argument -# default %d/%b/%Y:%H:%M:%S %z +# default %d/%b/%Y:%H:%M:%S %z # tr Response time (milliseconds) -# >h Request header. Optional header name argument -# on the format header[:[separator]element] -# h -# un User name -# ul User name from authentication -# ui User name from ident -# us User name from SSL -# ue User name from external acl helper -# Hs HTTP status code -# Ss Squid request status (TCP_MISS etc) -# Sh Squid hierarchy status (DEFAULT_PARENT etc) -# mt MIME content type -# rm Request method (GET/POST etc) -# ru Request URL -# rp Request URL-Path excluding hostname -# rv Request protocol version -# et Tag returned by external acl -# ea Log string returned by external acl -# a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh +# HTTP cache related format codes: # +# [http::]>h Original request header. Optional header name argument +# on the format header[:[separator]element] +# [http::]>ha The HTTP request headers after adaptation and redirection. +# Optional header name argument as for >h +# [http::]h +# [http::]un User name +# [http::]ul User name from authentication +# [http::]ui User name from ident +# [http::]us User name from SSL +# [http::]ue User name from external acl helper +# [http::]>Hs HTTP status code sent to the client +# [http::]st Received request size including HTTP headers. In the +# case of chunked requests the chunked encoding metadata +# are not included +# [http::]>sh Received HTTP request headers size +# [http::]a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh #Default: # none @@ -1843,31 +2321,121 @@ cache_dir ufs /var/cache/squid/ 100 16 256 # # And priority could be any of: # err, warning, notice, info, debug. +# +# Default: +# access_log /var/log/squid/logs/access.log squid +#Default: access_log /var/log/squid/access.log squid +# TAG: icap_log +# Note: This option is only available if Squid is rebuilt with the +# --enable-icap-client option +# +# ICAP log files record ICAP transaction summaries, one line per +# transaction. +# +# The icap_log option format is: +# icap_log [ [acl acl ...]] +# icap_log none [acl acl ...]] +# +# Please see access_log option documentation for details. The two +# kinds of logs share the overall configuration approach and many +# features. +# +# ICAP processing of a single HTTP message or transaction may +# require multiple ICAP transactions. In such cases, multiple +# ICAP transaction log lines will correspond to a single access +# log line. +# +# ICAP log uses logformat codes that make sense for an ICAP +# transaction. Header-related codes are applied to the HTTP header +# embedded in an ICAP server response, with the following caveats: +# For REQMOD, there is no HTTP response header unless the ICAP +# server performed request satisfaction. For RESPMOD, the HTTP +# request header is the header sent to the ICAP server. For +# OPTIONS, there are no HTTP headers. +# +# The following format codes are also available for ICAP logs: +# +# icap::st Bytes sent to the ICAP server (TCP payload +# only; i.e., what Squid writes to the socket). +# +# icap::h ICAP request header(s). Similar to >h. +# +# icap::a %icap::to/%03icap::Hs %icap::'. # +# Note, from Squid-3.1 this option has no effect on the cache.log, +# that log can be rotated separately by using debug_options #Default: logfile_rotate 0 @@ -1927,7 +2496,6 @@ logfile_rotate 0 # emulate_httpd_log to 'off' or 'on'. The default # is to use the native log format since it includes useful # information Squid-specific log analyzers use. -# #Default: # emulate_httpd_log off @@ -1935,7 +2503,6 @@ logfile_rotate 0 # Log the destination IP address in the hierarchy log tag when going # direct. Earlier Squid versions logged the hostname here. If you # prefer the old way set this to off. -# #Default: # log_ip_on_direct on @@ -1943,7 +2510,6 @@ logfile_rotate 0 # Pathname to Squid's MIME table. You shouldn't need to change # this, but the default file contains examples and formatting # information if you do. -# #Default: # mime_table /etc/squid/mime.conf @@ -1953,7 +2519,6 @@ logfile_rotate 0 # safely and will appear as two bracketed fields at the end of # the access log (for either the native or httpd-emulated log # formats). To enable this logging set log_mime_hdrs to 'on'. -# #Default: # log_mime_hdrs off @@ -1964,7 +2529,6 @@ logfile_rotate 0 # Squid will write the User-Agent field from HTTP requests # to the filename specified here. By default useragent_log # is disabled. -# #Default: # none @@ -1977,13 +2541,11 @@ logfile_rotate 0 # Note that "referer" is actually a misspelling of "referrer" # however the misspelt version has been accepted into the HTTP RFCs # and we accept both. -# #Default: # none # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". -# #Default: pid_filename /var/run/squid/squid.pid @@ -2004,7 +2566,6 @@ pid_filename /var/run/squid/squid.pid # IP's connecting to it. This can (in some situations) increase # latency, which makes your cache seem slower for interactive # browsing. -# #Default: # log_fqdn off @@ -2013,9 +2574,8 @@ pid_filename /var/run/squid/squid.pid # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. -# #Default: -# client_netmask 255.255.255.255 +# client_netmask no_addr # TAG: forward_log # Note: This option is only available if Squid is rebuilt with the @@ -2024,14 +2584,12 @@ pid_filename /var/run/squid/squid.pid # Logs the server-side requests. # # This is currently work in progress. -# #Default: # none # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before # logging. This protects your user's privacy. -# #Default: # strip_query_terms on @@ -2041,10 +2599,54 @@ pid_filename /var/run/squid/squid.pid # Buffering it can speed up the writing slightly (though you are # unlikely to need to worry unless you run with tons of debugging # enabled in which case performance will suffer badly anyway..). -# #Default: # buffered_logs off +# TAG: netdb_filename +# Note: This option is only available if Squid is rebuilt with the +# --enable-icmp option +# +# A filename where Squid stores it's netdb state between restarts. +# To disable, enter "none". +#Default: +# netdb_filename /var/log/squid/logs/netdb.state + +# OPTIONS FOR TROUBLESHOOTING +# ----------------------------------------------------------------------------- + +# TAG: cache_log +# Cache logging file. This is where general information about +# your cache's behavior goes. You can increase the amount of data +# logged to this file and how often its rotated with "debug_options" +#Default: +cache_log /var/log/squid/cache.log + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. +# +# The magic word "ALL" sets debugging levels for all sections. +# We recommend normally running with "ALL,1". +# +# The rotate=N option can be used to keep more or less of these logs +# than would otherwise be kept by logfile_rotate. +# For most uses a single log should be enough to monitor current +# events affecting Squid. +#Default: +# debug_options ALL,1 + +# TAG: coredump_dir +# By default Squid leaves core files in the directory from where +# it was started. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# coredump_dir none +# + # OPTIONS FOR FTP GATEWAYING # ----------------------------------------------------------------------------- @@ -2059,7 +2661,6 @@ pid_filename /var/run/squid/squid.pid # depending on how the cache is used. # Some ftp server also validate the email address is valid # (for example perl.com). -# #Default: # ftp_user Squid@ @@ -2067,7 +2668,6 @@ pid_filename /var/run/squid/squid.pid # Sets the width of ftp listings. This should be set to fit in # the width of a standard browser. Setting this too small # can cut off long filenames when browsing ftp sites. -# #Default: # ftp_list_width 32 @@ -2075,16 +2675,51 @@ pid_filename /var/run/squid/squid.pid # If your firewall does not allow Squid to use passive # connections, turn off this option. # +# Use of ftp_epsv_all option requires this to be ON. #Default: # ftp_passive on +# TAG: ftp_epsv_all +# FTP Protocol extensions permit the use of a special "EPSV ALL" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator, as the EPRT command will never be used and therefore, +# translation of the data portion of the segments will never be needed. +# +# When a client only expects to do two-way FTP transfers this may be +# useful. +# If squid finds that it must do a three-way FTP transfer after issuing +# an EPSV ALL command, the FTP session will fail. +# +# If you have any doubts about this option do not use it. +# Squid will nicely attempt all other connection methods. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv_all off + +# TAG: ftp_epsv +# FTP Protocol extensions permit the use of a special "EPSV" command. +# +# NATs may be able to put the connection on a "fast path" through the +# translator using EPSV, as the EPRT command will never be used +# and therefore, translation of the data portion of the segments +# will never be needed. +# +# Turning this OFF will prevent EPSV being attempted. +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers. +# +# Requires ftp_passive to be ON (default) for any effect. +#Default: +# ftp_epsv on + # TAG: ftp_sanitycheck # For security and data integrity reasons Squid by default performs # sanity checks of the addresses of FTP data connections ensure the # data connection is to the requested server. If you need to allow # FTP connections to servers using another IP address for the data # connection turn this off. -# #Default: # ftp_sanitycheck on @@ -2099,11 +2734,9 @@ pid_filename /var/run/squid/squid.pid # try setting this directive to off. If that helps, report to the # operator of the FTP server in question that their FTP server # is broken and does not follow the FTP standard. -# #Default: # ftp_telnet_protocol on - # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ----------------------------------------------------------------------------- @@ -2111,13 +2744,11 @@ pid_filename /var/run/squid/squid.pid # Specify the location of the diskd executable. # Note this is only useful if you have compiled in # diskd as one of the store io modules. -# #Default: # diskd_program /usr/libexec/diskd # TAG: unlinkd_program # Specify the location of the executable for file deletion process. -# #Default: # unlinkd_program /usr/libexec/unlinkd @@ -2126,10 +2757,18 @@ pid_filename /var/run/squid/squid.pid # --enable-icmp option # # Specify the location of the executable for the pinger process. -# #Default: # pinger_program /usr/libexec/pinger +# TAG: pinger_enable +# Note: This option is only available if Squid is rebuilt with the +# --enable-icmp option +# +# Control whether the pinger is active at run-time. +# Enables turning ICMP pinger on and off with a simple +# squid -k reconfigure. +#Default: +# pinger_enable off # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2155,7 +2794,6 @@ pid_filename /var/run/squid/squid.pid # URL with "301:" (moved permanently) or 302: (moved temporarily). # # By default, a URL rewriter is not used. -# #Default: # none @@ -2164,7 +2802,6 @@ pid_filename /var/run/squid/squid.pid # too few Squid will have to wait for them to process a backlog of # URLs, slowing it down. If you start too many they will use RAM # and other system resources. -# #Default: # url_rewrite_children 5 @@ -2173,6 +2810,11 @@ pid_filename /var/run/squid/squid.pid # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. #Default: # url_rewrite_concurrency 0 @@ -2183,7 +2825,6 @@ pid_filename /var/run/squid/squid.pid # # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. -# #Default: # url_rewrite_host_header on @@ -2192,6 +2833,8 @@ pid_filename /var/run/squid/squid.pid # sent to the redirector processes. By default all requests # are sent. # +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: # none @@ -2205,26 +2848,26 @@ pid_filename /var/run/squid/squid.pid # redirectors for access control, and you enable this option, # users may have access to pages they should not # be allowed to request. -# #Default: # url_rewrite_bypass off - # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- # TAG: cache -# A list of ACL elements which, if matched, cause the request to +# A list of ACL elements which, if matched and denied, cause the request to # not be satisfied from the cache and the reply to not be cached. # In other words, use this to force certain objects to never be cached. # -# You must use the word 'DENY' to indicate the ACL names which should -# NOT be cached. +# You must use the words 'allow' or 'deny' to indicate whether items +# matching the ACL should be allowed or denied into the cache. # -# Default is to allow all to be cached -#We recommend you to use the following two lines. -acl QUERY urlpath_regex cgi-bin \? -cache deny QUERY +# Default is to allow all to be cached. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# none # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -2251,14 +2894,21 @@ cache deny QUERY # ignore-reload # ignore-no-cache # ignore-no-store +# ignore-must-revalidate # ignore-private # ignore-auth # refresh-ims # # override-expire enforces min age even if the server -# sent a Expires: header. Doing this VIOLATES the HTTP -# standard. Enabling this feature could make you liable -# for problems which it causes. +# sent an explicit expiry time (e.g., with the +# Expires: header or Cache-Control: max-age). Doing this +# VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. +# +# Note: override-expire does not enforce staleness - it only extends +# freshness / min. If the server returns a Expires time which +# is longer than your max time, Squid will still consider +# the object fresh for that period of time. # # override-lastmod enforces min age even on objects # that were modified recently. @@ -2284,6 +2934,11 @@ cache deny QUERY # the HTTP standard. Enabling this feature could make you # liable for problems which it causes. # +# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` +# headers received from a server. Doing this VIOLATES +# the HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# # ignore-private ignores any ``Cache-control: private'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -2316,9 +2971,12 @@ cache deny QUERY # to change one. The default setting is only active if none is # used. # -#Suggested default: +# + +# Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # TAG: quick_abort_min (KB) @@ -2350,7 +3008,6 @@ refresh_pattern . 0 20% 4320 # # If you want retrievals to always continue if they are being # cached set 'quick_abort_min' to '-1 KB'. -# #Default: # quick_abort_min 16 KB # quick_abort_max 16 KB @@ -2359,25 +3016,29 @@ refresh_pattern . 0 20% 4320 # TAG: read_ahead_gap buffer-size # The amount of data the cache will buffer ahead of what has been # sent to the client when retrieving an object from another server. -# #Default: # read_ahead_gap 16 KB # TAG: negative_ttl time-units -# Time-to-Live (TTL) for failed requests. Certain types of -# failures (such as "connection refused" and "404 Not Found") are -# negatively-cached for a configurable amount of time. The -# default is 5 minutes. Note that this is different from -# negative caching of DNS lookups. +# Set the Default Time-to-Live (TTL) for failed requests. +# Certain types of failures (such as "connection refused" and +# "404 Not Found") are able to be negatively-cached for a short time. +# Modern web servers should provide Expires: header, however if they +# do not this can provide a minimum TTL. +# The default is not to cache errors with unknown expiry details. # +# Note that this is different from negative caching of DNS lookups. +# +# WARNING: Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which it +# causes. #Default: -# negative_ttl 5 minutes +# negative_ttl 0 seconds # TAG: positive_dns_ttl time-units # Upper limit on how long Squid will cache positive DNS responses. # Default is 6 hours (360 minutes). This directive must be set # larger than negative_dns_ttl. -# #Default: # positive_dns_ttl 6 hours @@ -2386,7 +3047,6 @@ refresh_pattern . 0 20% 4320 # This also sets the lower cache limit on positive lookups. # Minimum value is 1 second, and it is not recommendable to go # much below 10 seconds. -# #Default: # negative_dns_ttl 1 minutes @@ -2400,32 +3060,34 @@ refresh_pattern . 0 20% 4320 # from making Squid fetch the whole object up to that point before # sending anything to the client. # -# A value of -1 causes Squid to always fetch the object from the -# beginning so it may cache the result. (2.0 style) -# # A value of 0 causes Squid to never fetch more than the # client requested. (default) # +# A value of -1 causes Squid to always fetch the object from the +# beginning so it may cache the result. (2.0 style) +# +# NP: Using -1 here will override any quick_abort settings that may +# otherwise apply to the range request. The range request will +# be fully fetched from start to finish regardless of the client +# actions. This affects bandwidth usage. #Default: # range_offset_limit 0 KB # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) # Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy enorinments it +# defaults to 60 seconds. In reverse proxy environments it # might be desirable to honor shorter object lifetimes. It # is most likely better to make your server return a # meaningful Last-Modified header however. In ESI environments # where page fragments often have short lifetimes, this will # often be best set to 0. -# #Default: # minimum_expiry_time 60 seconds # TAG: store_avg_object_size (kbytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. -# #Default: # store_avg_object_size 13 KB @@ -2433,11 +3095,9 @@ refresh_pattern . 0 20% 4320 # Target number of objects per bucket in the store hash table. # Lowering this value increases the total number of buckets and # also the storage maintenance rate. The default is 20. -# #Default: # store_objects_per_bucket 20 - # HTTP OPTIONS # ----------------------------------------------------------------------------- @@ -2447,9 +3107,8 @@ refresh_pattern . 0 20% 4320 # Placing a limit on the request header size will catch certain # bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. -# #Default: -# request_header_max_size 20 KB +# request_header_max_size 64 KB # TAG: reply_header_max_size (KB) # This specifies the maximum size for HTTP headers in a reply. @@ -2457,9 +3116,8 @@ refresh_pattern . 0 20% 4320 # Placing a limit on the reply header size will catch certain # bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. -# #Default: -# reply_header_max_size 20 KB +# reply_header_max_size 64 KB # TAG: request_body_max_size (bytes) # This specifies the maximum size for an HTTP request body. @@ -2468,10 +3126,32 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. -# #Default: # request_body_max_size 0 KB +# TAG: chunked_request_body_max_size (bytes) +# A broken or confused HTTP/1.1 client may send a chunked HTTP +# request to Squid. Squid does not have full support for that +# feature yet. To cope with such requests, Squid buffers the +# entire request and then dechunks request body to create a +# plain HTTP/1.0 request with a known content length. The plain +# request is then used by the rest of Squid code as usual. +# +# The option value specifies the maximum size of the buffer used +# to hold the request before the conversion. If the chunked +# request size exceeds the specified limit, the conversion +# fails, and the client receives an "unsupported request" error, +# as if dechunking was disabled. +# +# Dechunking is enabled by default. To disable conversion of +# chunked requests, set the maximum to zero. +# +# Request dechunking feature and this option in particular are a +# temporary hack. When chunking requests and responses are fully +# supported, there will be no need to buffer a chunked request. +#Default: +# chunked_request_body_max_size 64 KB + # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -2486,17 +3166,29 @@ refresh_pattern . 0 20% 4320 # forbidden by the BNF, an HTTP/1.1 client must not preface or follow # a request with an extra CRLF. # +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server -# #Default: # none +# TAG: icap_uses_indirect_client on|off +# Note: This option is only available if Squid is rebuilt with the +# --enable-follow-x-forwarded-for and --enable-icap-client option +# +# Controls whether the indirect client address +# (see follow_x_forwarded_for) instead of the +# direct client address is passed to an ICAP +# server as "X-Client-IP". +#Default: +# icap_uses_indirect_client on + # TAG: via on|off # If set (default), Squid will include a Via header in requests and # replies as required by RFC2616. -# #Default: # via on @@ -2517,7 +3209,6 @@ refresh_pattern . 0 20% 4320 # the old Squid behavior, which is better for hit ratios but # worse for clients using IE, if they need to be able to # force fresh content. -# #Default: # ie_refresh off @@ -2527,19 +3218,12 @@ refresh_pattern . 0 20% 4320 # when requested by a HTTP/1.0 client. This option # enables Squid to ignore such expiry times until # HTTP/1.1 is fully implemented. -# WARNING: This may eventually cause some varying -# objects not intended for caching to get cached. # +# WARNING: If turned on this may eventually cause some +# varying objects not intended for caching to get cached. #Default: # vary_ignore_expire off -# TAG: extension_methods -# Squid only knows about standardized HTTP request methods. -# You can add up to 20 additional "extension" methods here. -# -#Default: -# none - # TAG: request_entities # Squid defaults to deny GET and HEAD requests with request entities, # as the meaning of such requests are undefined in the HTTP standard @@ -2550,7 +3234,6 @@ refresh_pattern . 0 20% 4320 # that there is server software (both proxies and web servers) which # can fail to properly process this kind of request which may make you # vulnerable to cache pollution attacks if enabled. -# #Default: # request_entities off @@ -2620,7 +3303,6 @@ refresh_pattern . 0 20% 4320 # # By default, all headers are allowed (no anonymizing is # performed). -# #Default: # none @@ -2693,7 +3375,6 @@ refresh_pattern . 0 20% 4320 # # By default, all headers are allowed (no anonymizing is # performed). -# #Default: # none @@ -2709,7 +3390,6 @@ refresh_pattern . 0 20% 4320 # This only applies to request headers, not reply headers. # # By default, headers are removed if denied. -# #Default: # none @@ -2725,10 +3405,18 @@ refresh_pattern . 0 20% 4320 # # If set to "off" then such HTTP errors will cause the request # or response to be rejected. -# #Default: # relaxed_header_parser on +# TAG: ignore_expect_100 on|off +# This option makes Squid ignore any Expect: 100-continue header present +# in the request. RFC 2616 requires that Squid being unable to satisfy +# the response expectation MUST return a 417 error. +# +# Note: Enabling this is a HTTP protocol violation, but some clients may +# not handle it well.. +#Default: +# ignore_expect_100 off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -2736,7 +3424,6 @@ refresh_pattern . 0 20% 4320 # TAG: forward_timeout time-units # This parameter specifies how long Squid should at most attempt in # finding a forwarding path for the request before giving up. -# #Default: # forward_timeout 4 minutes @@ -2744,7 +3431,6 @@ refresh_pattern . 0 20% 4320 # This parameter specifies how long to wait for the TCP connect to # the requested server or peer to complete before Squid should # attempt to find another path where to forward the request. -# #Default: # connect_timeout 1 minute @@ -2753,7 +3439,6 @@ refresh_pattern . 0 20% 4320 # connection to a peer cache. The default is 30 seconds. You # may also set different timeout values for individual neighbors # with the 'connect-timeout' option on a 'cache_peer' line. -# #Default: # peer_connect_timeout 30 seconds @@ -2763,21 +3448,18 @@ refresh_pattern . 0 20% 4320 # amount. If no data is read again after this amount of time, # the request is aborted and logged with ERR_READ_TIMEOUT. The # default is 15 minutes. -# #Default: # read_timeout 15 minutes # TAG: request_timeout # How long to wait for an HTTP request after initial # connection establishment. -# #Default: # request_timeout 5 minutes # TAG: persistent_request_timeout # How long to wait for the next HTTP request on a persistent # connection after the previous request completes. -# #Default: # persistent_request_timeout 2 minutes @@ -2796,7 +3478,6 @@ refresh_pattern . 0 20% 4320 # If you seem to have many client connections tying up # filedescriptors, we recommend first tuning the read_timeout, # request_timeout, persistent_request_timeout and quick_abort values. -# #Default: # client_lifetime 1 day @@ -2804,19 +3485,21 @@ refresh_pattern . 0 20% 4320 # Some clients may shutdown the sending side of their TCP # connections, while leaving their receiving sides open. Sometimes, # Squid can not tell the difference between a half-closed and a -# fully-closed TCP connection. By default, half-closed client -# connections are kept open until a read(2) or write(2) on the -# socket returns an error. Change this option to 'off' and Squid -# will immediately close client connections when read(2) returns -# "no more data to read." +# fully-closed TCP connection. # +# By default, Squid will immediately close client connections when +# read(2) returns "no more data to read." +# +# Change this option to 'on' and Squid will keep open connections +# until a read(2) or write(2) on the socket returns an error. +# This may show some benefits for reverse proxies. But if not +# it is recommended to leave OFF. #Default: -# half_closed_clients on +# half_closed_clients off # TAG: pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. -# #Default: # pconn_timeout 1 minute @@ -2826,7 +3509,6 @@ refresh_pattern . 0 20% 4320 # If this is too high, and you enabled IDENT lookups from untrusted # users, you might be susceptible to denial-of-service by having # many ident requests going at once. -# #Default: # ident_timeout 10 seconds @@ -2836,18 +3518,15 @@ refresh_pattern . 0 20% 4320 # This value is the lifetime to set for all open descriptors # during shutdown mode. Any active clients after this many # seconds will receive a 'timeout' message. -# #Default: # shutdown_lifetime 30 seconds - # ADMINISTRATIVE PARAMETERS # ----------------------------------------------------------------------------- # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "webmaster." -# #Default: # cache_mgr webmaster @@ -2856,7 +3535,6 @@ refresh_pattern . 0 20% 4320 # The default is to use 'appname@unique_hostname'. # Default appname value is "squid", can be changed into # src/globals.h before building squid. -# #Default: # none @@ -2867,7 +3545,6 @@ refresh_pattern . 0 20% 4320 # mail-program recipient < mailfile # # Optional command line options can be specified. -# #Default: # mail_program mail @@ -2876,7 +3553,6 @@ refresh_pattern . 0 20% 4320 # UID/GID to the user specified below. The default is to change # to UID of nobody. # see also; cache_effective_group -# #Default: cache_effective_user nobody @@ -2896,13 +3572,11 @@ cache_effective_user nobody # This option is not recommended by the Squid Team. # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. -# #Default: cache_effective_group nobody # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. -# #Default: # httpd_suppress_version_string off @@ -2912,7 +3586,6 @@ cache_effective_group nobody # will be used. If you have multiple caches in a cluster and # get errors about IP-forwarding you must set them to have individual # names with this setting. -# #Default: # none @@ -2920,16 +3593,22 @@ cache_effective_group nobody # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. -# #Default: # none # TAG: hostname_aliases # A list of other DNS names your cache has. -# #Default: # none +# TAG: umask +# Minimum umask which should be enforced while the proxy +# is running, in addition to the umask set at startup. +# +# For a traditional octal representation of umasks, start +# your value with 0. +#Default: +# umask 027 # OPTIONS FOR THE CACHE REGISTRATION SERVICE # ----------------------------------------------------------------------------- @@ -2958,14 +3637,12 @@ cache_effective_group nobody # default is `0' which disables sending the announcement # messages. # -# To enable announcing your cache, just uncomment the line -# below. +# To enable announcing your cache, just set an announce period. # +# Example: +# announce_period 1 day #Default: # announce_period 0 -# -#To enable announcing your cache, just uncomment the line below. -#announce_period 1 day # TAG: announce_host # TAG: announce_file @@ -2977,49 +3654,43 @@ cache_effective_group nobody # default default to 3131. If the 'filename' argument is given, # the contents of that file will be included in the announce # message. -# #Default: # announce_host tracker.ircache.net # announce_port 3131 - # HTTPD-ACCELERATOR OPTIONS # ----------------------------------------------------------------------------- # TAG: httpd_accel_surrogate_id # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SQUID_ESI define +# --enable-esi option # # Surrogates (http://www.esi.org/architecture_spec_1.0.html) # need an identification token to allow control targeting. Because # a farm of surrogates may all perform the same tasks, they may share # an identification token. -# #Default: # httpd_accel_surrogate_id unset-id # TAG: http_accel_surrogate_remote on|off # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SQUID_ESI define +# --enable-esi option # # Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. # Set this to on to have squid behave as a remote surrogate. -# #Default: # http_accel_surrogate_remote off # TAG: esi_parser libxml2|expat|custom # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SQUID_ESI define +# --enable-esi option # # ESI markup is not strictly XML compatible. The custom ESI parser # will give higher performance, but cannot handle non ASCII character # encodings. -# #Default: # esi_parser custom - # DELAY POOL PARAMETERS # ----------------------------------------------------------------------------- @@ -3030,7 +3701,6 @@ cache_effective_group nobody # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. -# #Default: # delay_pools 0 @@ -3043,12 +3713,12 @@ cache_effective_group nobody # delay pools, one of class 2 and one of class 3, the settings above # and here would be: # -#Example: -# delay_pools 4 # 4 delay pools -# delay_class 1 2 # pool 1 is a class 2 pool -# delay_class 2 3 # pool 2 is a class 3 pool -# delay_class 3 4 # pool 3 is a class 4 pool -# delay_class 4 5 # pool 4 is a class 5 pool +# Example: +# delay_pools 4 # 4 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# delay_class 3 4 # pool 3 is a class 4 pool +# delay_class 4 5 # pool 4 is a class 5 pool # # The delay pool classes are: # @@ -3057,13 +3727,13 @@ cache_effective_group nobody # # class 2 Everything is limited by a single aggregate # bucket as well as an "individual" bucket chosen -# from bits 25 through 32 of the IP address. +# from bits 25 through 32 of the IPv4 address. # # class 3 Everything is limited by a single aggregate # bucket as well as a "network" bucket chosen # from bits 17 through 24 of the IP address and a # "individual" bucket chosen from bits 17 through -# 32 of the IP address. +# 32 of the IPv4 address. # # class 4 Everything in a class 3 delay pool, with an # additional limit on a per user basis. This @@ -3079,6 +3749,8 @@ cache_effective_group nobody # -> bits 17 through 24 are "c" # -> bits 17 through 32 are "c * 256 + d" # +# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to +# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. #Default: # none @@ -3102,7 +3774,6 @@ cache_effective_group nobody # delay_access 2 allow lotsa_little_clients # delay_access 2 deny all # delay_access 3 allow authenticated_clients -# #Default: # none @@ -3182,7 +3853,6 @@ cache_effective_group nobody # be limited to 128Kb no matter how many workstations they are logged into.: # #delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 -# #Default: # none @@ -3195,15 +3865,25 @@ cache_effective_group nobody # a host accessing it (in class 2 and class 3, individual hosts and # networks only have buckets associated with them once they have been # "seen" by squid). -# #Default: # delay_initial_bucket_level 50 - # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- # TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. +# +# wccp_router supports a single WCCP(v1) router +# +# wccp2_router supports multiple WCCPv2 routers +# +# only one of the two may be used at the same time and defines +# which version of WCCP to use. +#Default: +# wccp_router any_addr + # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for # Squid. @@ -3214,9 +3894,8 @@ cache_effective_group nobody # # only one of the two may be used at the same time and defines # which version of WCCP to use. -# #Default: -# wccp_router 0.0.0.0 +# none # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -3229,14 +3908,12 @@ cache_effective_group nobody # support WCCP version 3. If you're using that or an earlier # version of IOS, you may need to change this value to 3, otherwise # do not specify this parameter. -# #Default: # wccp_version 4 # TAG: wccp2_rebuild_wait # If this is enabled Squid will wait for the cache dir rebuild to finish # before sending the first wccp2 HereIAm packet -# #Default: # wccp2_rebuild_wait on @@ -3244,22 +3921,21 @@ cache_effective_group nobody # WCCP2 allows the setting of forwarding methods between the # router/switch and the cache. Valid values are as follows: # -# 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) -# 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) # # Currently (as of IOS 12.4) cisco routers only support GRE. # Cisco switches only support the L2 redirect assignment method. -# #Default: -# wccp2_forwarding_method 1 +# wccp2_forwarding_method gre # TAG: wccp2_return_method # WCCP2 allows the setting of return methods between the # router/switch and the cache for packets that the cache # decides not to handle. Valid values are as follows: # -# 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) -# 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) +# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) +# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) # # Currently (as of IOS 12.4) cisco routers only support GRE. # Cisco switches only support the L2 redirect assignment. @@ -3268,22 +3944,20 @@ cache_effective_group nobody # enabled on the cache interface, then it is still safe for # the proxy server to use a l2 redirect method even if this # option is set to GRE. -# #Default: -# wccp2_return_method 1 +# wccp2_return_method gre # TAG: wccp2_assignment_method # WCCP2 allows the setting of methods to assign the WCCP hash # Valid values are as follows: # -# 1 - Hash assignment -# 2 - Mask assignment +# hash - Hash assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. -# #Default: -# wccp2_assignment_method 1 +# wccp2_assignment_method hash # TAG: wccp2_service # WCCP2 allows for multiple traffic services. There are two @@ -3305,8 +3979,6 @@ cache_effective_group nobody # wccp2_service dynamic 80 # a dynamic service type which will be # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo -# -# #Default: # wccp2_service standard 0 @@ -3321,7 +3993,7 @@ cache_effective_group nobody # # The relevant WCCPv2 flags: # + src_ip_hash, dst_ip_hash -# + source_port_hash, dest_port_hash +# + source_port_hash, dst_port_hash # + src_ip_alt_hash, dst_ip_alt_hash # + src_port_alt_hash, dst_port_alt_hash # + ports_source @@ -3335,14 +4007,12 @@ cache_effective_group nobody # # Note: the service id must have been defined by a previous # 'wccp2_service dynamic ' entry. -# #Default: # none # TAG: wccp2_weight # Each cache server gets assigned a set of the destination # hash proportional to their weight. -# #Default: # wccp2_weight 10000 @@ -3352,12 +4022,10 @@ cache_effective_group nobody # interface address. # # The default behavior is to not bind to any specific address. -# #Default: # wccp_address 0.0.0.0 # wccp2_address 0.0.0.0 - # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- # @@ -3369,7 +4037,6 @@ cache_effective_group nobody # default, Squid uses persistent connections (when allowed) # with its clients and servers. You can use these options to # disable persistent connections with clients and/or servers. -# #Default: # client_persistent_connections on # server_persistent_connections on @@ -3378,9 +4045,8 @@ cache_effective_group nobody # With this directive the use of persistent connections after # HTTP errors can be disabled. Useful if you have clients # who fail to handle errors on persistent connections proper. -# #Default: -# persistent_connection_after_error off +# persistent_connection_after_error on # TAG: detect_broken_pconn # Some servers have been found to incorrectly signal the use @@ -3391,11 +4057,9 @@ cache_effective_group nobody # By enabling this directive Squid attempts to detect such # broken replies and automatically assume the reply is finished # after 10 seconds timeout. -# #Default: # detect_broken_pconn off - # CACHE DIGEST OPTIONS # ----------------------------------------------------------------------------- @@ -3406,7 +4070,6 @@ cache_effective_group nobody # This controls whether the server will generate a Cache Digest # of its contents. By default, Cache Digest generation is # enabled if Squid is compiled with --enable-cache-digests defined. -# #Default: # digest_generation on @@ -3417,7 +4080,6 @@ cache_effective_group nobody # This is the number of bits of the server's Cache Digest which # will be associated with the Digest entry for a given HTTP # Method and URL (public key) combination. The default is 5. -# #Default: # digest_bits_per_entry 5 @@ -3426,7 +4088,6 @@ cache_effective_group nobody # --enable-cache-digests option # # This is the wait time between Cache Digest rebuilds. -# #Default: # digest_rebuild_period 1 hour @@ -3436,7 +4097,6 @@ cache_effective_group nobody # # This is the wait time between Cache Digest writes to # disk. -# #Default: # digest_rewrite_period 1 hour @@ -3447,7 +4107,6 @@ cache_effective_group nobody # This is the number of bytes of the Cache Digest to write to # disk at a time. It defaults to 4096 bytes (4KB), the Squid # default swap page. -# #Default: # digest_swapout_chunk_size 4096 bytes @@ -3457,11 +4116,9 @@ cache_effective_group nobody # # This is the percentage of the Cache Digest to be scanned at a # time. By default it is set to 10% of the Cache Digest. -# #Default: # digest_rebuild_chunk_percentage 10 - # SNMP OPTIONS # ----------------------------------------------------------------------------- @@ -3470,10 +4127,11 @@ cache_effective_group nobody # SNMP support set this to a suitable port number. Port number # 3401 is often used for the Squid SNMP agent. By default it's # set to "0" (disabled) +# +# Example: +# snmp_port 3401 #Default: # snmp_port 0 -# -#snmp_port 3401 # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -3483,37 +4141,36 @@ cache_effective_group nobody # # snmp_access allow|deny [!]aclname ... # +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Example: # snmp_access allow snmppublic localhost # snmp_access deny all -# #Default: # snmp_access deny all # TAG: snmp_incoming_address # TAG: snmp_outgoing_address -# Just like 'udp_incoming_address' above, but for the SNMP port. +# Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. # snmp_outgoing_address is used for SNMP packets returned to SNMP # agents. # -# The default snmp_incoming_address (0.0.0.0) is to listen on all +# The default snmp_incoming_address is to listen on all # available network interfaces. # -# If snmp_outgoing_address is set to 255.255.255.255 (the default) -# it will use the same socket as snmp_incoming_address. Only -# change this if you want to have SNMP replies sent using another -# address than where this Squid listens for SNMP queries. +# If snmp_outgoing_address is not set it will use the same socket +# as snmp_incoming_address. Only change this if you want to have +# SNMP replies sent using another address than where this Squid +# listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have # the same value since they both use port 3401. -# #Default: -# snmp_incoming_address 0.0.0.0 -# snmp_outgoing_address 255.255.255.255 - +# snmp_incoming_address any_addr +# snmp_outgoing_address no_addr # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -3522,25 +4179,26 @@ cache_effective_group nobody # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. # Default is disabled (0). +# +# Example: +# icp_port 3130 #Default: # icp_port 0 -# -icp_port 3130 # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to # 4827. By default it is set to "0" (disabled). +# +# Example: +# htcp_port 4827 #Default: # htcp_port 0 -# -#htcp_port 4827 # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish # do disable this if your ICP load is VERY high to speed things # up or to simplify log analysis. -# #Default: # log_icp_queries on @@ -3560,9 +4218,8 @@ icp_port 3130 # # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. -# #Default: -# udp_incoming_address 0.0.0.0 +# udp_incoming_address any_addr # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -3582,9 +4239,8 @@ icp_port 3130 # # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. -# #Default: -# udp_outgoing_address 255.255.255.255 +# udp_outgoing_address no_addr # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -3594,21 +4250,18 @@ icp_port 3130 # it is probably okay to set this to 'on'. # If set to 'on', your siblings should use the option "allow-miss" # on their cache_peer lines for connecting to you. -# #Default: # icp_hit_stale off # TAG: minimum_direct_hops # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many hops away. -# #Default: # minimum_direct_hops 4 # TAG: minimum_direct_rtt # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. -# #Default: # minimum_direct_rtt 400 @@ -3618,7 +4271,6 @@ icp_port 3130 # database. These are counts, not percents. The defaults are # 900 and 1000. When the high water mark is reached, database # entries will be deleted until the low mark is reached. -# #Default: # netdb_low 900 # netdb_high 1000 @@ -3627,7 +4279,6 @@ icp_port 3130 # The minimum period for measuring a site. There will be at # least this much delay between successive pings to the same # network. The default is five minutes. -# #Default: # netdb_ping_period 5 minutes @@ -3643,7 +4294,6 @@ icp_port 3130 # the minimal RTT to the origin server. When this happens, the # hierarchy field of the access.log will be # "CLOSEST_PARENT_MISS". This option is off by default. -# #Default: # query_icmp off @@ -3651,7 +4301,6 @@ icp_port 3130 # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH # instead of ICP_MISS if the target host is NOT in the ICMP # database, or has a zero RTT. -# #Default: # test_reachability off @@ -3664,7 +4313,6 @@ icp_port 3130 # timeout (the old default), you would write: # # icp_query_timeout 2000 -# #Default: # icp_query_timeout 0 @@ -3675,7 +4323,6 @@ icp_port 3130 # value. Do NOT use this option to always use a fixed (instead # of a dynamic) timeout value. To set a fixed timeout see the # 'icp_query_timeout' directive. -# #Default: # maximum_icp_query_timeout 2000 @@ -3687,18 +4334,15 @@ icp_port 3130 # value. Do NOT use this option to always use a fixed (instead # of a dynamic) timeout value. To set a fixed timeout see the # 'icp_query_timeout' directive. -# #Default: # minimum_icp_query_timeout 5 # TAG: background_ping_rate time-units # Controls how often the ICP pings are sent to siblings that # have background-ping set. -# #Default: # background_ping_rate 10 seconds - # MULTICAST ICP OPTIONS # ----------------------------------------------------------------------------- @@ -3723,7 +4367,6 @@ icp_port 3130 # Usage: mcast_groups 239.128.16.128 224.0.1.20 # # By default, Squid doesn't listen on any multicast groups. -# #Default: # none @@ -3736,9 +4379,8 @@ icp_port 3130 # # Do not enable this option unless you are are absolutely # certain you understand what you are doing. -# #Default: -# mcast_miss_addr 255.255.255.255 +# mcast_miss_addr no_addr # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -3747,7 +4389,6 @@ icp_port 3130 # This is the time-to-live value for packets multicasted # when multicasting off cache miss URLs is enabled. By # default this is set to 'site scope', i.e. 16. -# #Default: # mcast_miss_ttl 16 @@ -3757,7 +4398,6 @@ icp_port 3130 # # This is the port number to be used in conjunction with # 'mcast_miss_addr'. -# #Default: # mcast_miss_port 3135 @@ -3767,7 +4407,6 @@ icp_port 3130 # # The URLs that are sent in the multicast miss stream are # encrypted. This is the encryption key. -# #Default: # mcast_miss_encode_key XXXXXXXXXXXXXXXX @@ -3777,18 +4416,15 @@ icp_port 3130 # address. This value specifies how long Squid should wait to # count all the replies. The default is 2000 msec, or 2 # seconds. -# #Default: # mcast_icp_query_timeout 2000 - # INTERNAL ICON OPTIONS # ----------------------------------------------------------------------------- # TAG: icon_directory # Where the icons are stored. These are normally kept in # /usr/share/squid/icons -# #Default: # icon_directory /usr/share/squid/icons @@ -3800,7 +4436,6 @@ icp_port 3130 # icons etc work better in complex cache hierarchies where it may # not always be possible for all corners in the cache mesh to reach # the server generating a directory listing. -# #Default: # global_internal_static on @@ -3811,27 +4446,62 @@ icp_port 3130 # # If you run a complex cache hierarchy with a mix of Squid and # other proxies you may need to disable this directive. -# #Default: # short_icon_urls on - # ERROR PAGE OPTIONS # ----------------------------------------------------------------------------- # TAG: error_directory # If you wish to create your own versions of the default -# (English) error files, either to customize them to suit your -# language or company copy the template English files to another -# directory and point this tag at them. +# error files to customize them to suit your company copy +# the error/template files to another directory and point +# this tag at them. +# +# WARNING: This option will disable multi-language support +# on error pages if used. # # The squid developers are interested in making squid available in # a wide variety of languages. If you are making translations for a -# langauge that Squid does not currently provide please consider +# language that Squid does not currently provide please consider # contributing your translation back to the project. +# http://wiki.squid-cache.org/Translations # +# The squid developers working on translations are happy to supply drop-in +# translated error files in exchange for any new language contributions. #Default: -# error_directory /usr/share/squid/errors/English +# none + +# TAG: error_default_language +# Set the default language which squid will send error pages in +# if no existing translation matches the clients language +# preferences. +# +# If unset (default) generic English will be used. +# +# The squid developers are interested in making squid available in +# a wide variety of languages. If you are interested in making +# translations for any language see the squid wiki for details. +# http://wiki.squid-cache.org/Translations +#Default: +# none + +# TAG: error_log_languages +# Log to cache.log what languages users are attempting to +# auto-negotiate for translations. +# +# Successful negotiations are not logged. Only failures +# have meaning to indicate that Squid may need an upgrade +# of its error page translations. +#Default: +# error_log_languages on + +# TAG: err_page_stylesheet +# CSS Stylesheet to pattern the display of Squid default error pages. +# +# For information on CSS see http://www.w3.org/Style/CSS/ +#Default: +# err_page_stylesheet /etc/squid/errorpage.css # TAG: err_html_text # HTML text to include in error messages. Make this a "mailto" @@ -3842,7 +4512,6 @@ icp_port 3130 # the error template files (found in the "errors" directory). # Wherever you want the 'err_html_text' line to appear, # insert a %L tag in the error template file. -# #Default: # none @@ -3851,14 +4520,13 @@ icp_port 3130 # included in the mailto links of the ERR pages (if %W is set) # so that the email body contains the data. # Syntax is %w -# #Default: # email_err_data on # TAG: deny_info # Usage: deny_info err_page_name acl # or deny_info http://... acl -# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# or deny_info TCP_RESET acl # # This can be used to return a ERR_ page for requests which # do not pass the 'http_access' rules. Squid remembers the last @@ -3872,8 +4540,9 @@ icp_port 3130 # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. # -# You may use ERR_ pages that come with Squid or create your own pages -# and put them into the configured errors/ directory. +# NP: If providing your own custom error pages with error_directory +# you may also specify them by your custom file name: +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # # Alternatively you can specify an error URL. The browsers will # get redirected (302) to the specified URL. %s in the redirection @@ -3881,11 +4550,9 @@ icp_port 3130 # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. -# #Default: # none - # OPTIONS INFLUENCING REQUEST FORWARDING # ----------------------------------------------------------------------------- @@ -3903,7 +4570,6 @@ icp_port 3130 # # If you are inside an firewall see never_direct instead of # this directive. -# #Default: # nonhierarchical_direct on @@ -3919,7 +4585,6 @@ icp_port 3130 # Note: If you want Squid to use parents for all requests see # the never_direct directive. prefer_direct only modifies how Squid # acts on cacheable requests. -# #Default: # prefer_direct off @@ -3958,11 +4623,10 @@ icp_port 3130 # # NOTE: This directive is not related to caching. The replies # is cached as usual even if you use always_direct. To not cache -# the replies see no_cache. -# -# This option replaces some v1.1 options such as local_domain -# and local_ip. +# the replies see the 'cache' directive. # +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: # none @@ -3978,7 +4642,6 @@ icp_port 3130 # requests, except those in your local domain use something like: # # acl local-servers dstdomain .foo.net -# acl all src 0.0.0.0/0.0.0.0 # never_direct deny local-servers # never_direct allow all # @@ -3991,13 +4654,11 @@ icp_port 3130 # always_direct allow local-intranet # never_direct allow all # -# This option replaces some v1.1 options such as inside_firewall -# and firewall_ip. -# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: # none - # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- @@ -4010,7 +4671,6 @@ icp_port 3130 # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! -# #Default: # incoming_icp_average 6 # incoming_http_average 4 @@ -4046,34 +4706,45 @@ icp_port 3130 #accept_filter httpready ## Linux #accept_filter data -# #Default: # none +# TAG: client_ip_max_connections +# Set an absolute limit on the number of connections a single +# client IP can use. Any more than this and Squid will begin to drop +# new connections from the client until it closes some links. +# +# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP +# connections from the client. For finer control use the ACL access controls. +# +# Requires client_db to be enabled (the default). +# +# WARNING: This may noticably slow down traffic received via external proxies +# or NAT devices and cause them to rebound error messages back to their clients. +#Default: +# client_ip_max_connections -1 + # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just # as easy to change your kernel's default. Set to zero to use # the default buffer size. -# #Default: # tcp_recv_bufsize 0 bytes - # ICAP OPTIONS # ----------------------------------------------------------------------------- # TAG: icap_enable on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # If you want to enable the ICAP module support, set this to on. -# #Default: # icap_enable off # TAG: icap_connect_timeout # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # This parameter specifies how long to wait for the TCP connect to # the requested ICAP server to complete before giving up and either @@ -4082,13 +4753,12 @@ icp_port 3130 # The default for optional services is peer_connect_timeout. # The default for essential services is connect_timeout. # If this option is explicitly set, its value applies to all services. -# #Default: # none # TAG: icap_io_timeout time-units # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # This parameter specifies how long to wait for an I/O activity on # an established, active ICAP connection before giving up and @@ -4096,13 +4766,12 @@ icp_port 3130 # failure. # # The default is read_timeout. -# #Default: # none # TAG: icap_service_failure_limit # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If @@ -4114,13 +4783,12 @@ icp_port 3130 # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. -# #Default: # icap_service_failure_limit 10 # TAG: icap_service_revival_delay # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # The delay specifies the number of seconds to wait after an ICAP # OPTIONS request failure before requesting the options again. The @@ -4129,13 +4797,12 @@ icp_port 3130 # # The actual delay cannot be smaller than the hardcoded minimum # delay of 30 seconds. -# #Default: # icap_service_revival_delay 180 # TAG: icap_preview_enable on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # The ICAP Preview feature allows the ICAP server to handle the # HTTP message by looking only at the beginning of the message body @@ -4150,150 +4817,404 @@ icp_port 3130 # individual ICAP server OPTIONS responses, set this option to "off". #Example: #icap_preview_enable off -# #Default: # icap_preview_enable on # TAG: icap_preview_size # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # The default size of preview data to be sent to the ICAP server. # -1 means no preview. This value might be overwritten on a per server # basis by OPTIONS requests. -# #Default: # icap_preview_size -1 # TAG: icap_default_options_ttl # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # The default TTL value for ICAP OPTIONS responses that don't have # an Options-TTL header. -# #Default: # icap_default_options_ttl 60 # TAG: icap_persistent_connections on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # Whether or not Squid should use persistent connections to # an ICAP server. -# #Default: # icap_persistent_connections on # TAG: icap_send_client_ip on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # This adds the header "X-Client-IP" to ICAP requests. -# #Default: # icap_send_client_ip off # TAG: icap_send_client_username on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # This sends authenticated HTTP client username (if available) to # the ICAP service. The username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. -# #Default: # icap_send_client_username off # TAG: icap_client_username_header # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # ICAP request header name to use for send_client_username. -# #Default: # icap_client_username_header X-Client-Username # TAG: icap_client_username_encode on|off # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # # Whether to base64 encode the authenticated client username. -# #Default: # icap_client_username_encode off # TAG: icap_service # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # -# Defines a single ICAP service +# Defines a single ICAP service using the following format: # -# icap_service servicename vectoring_point bypass service_url +# icap_service service_name vectoring_point [options] service_url # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# service_name: ID +# an opaque identifier which must be unique in squid.conf +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the ICAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service -# was not enabled. No all ICAP errors can be bypassed. -# If set to 0, the ICAP service is treated as essential and all -# ICAP errors will result in an error page returned to the -# HTTP client. -# service_url = icap://servername:port/service +# +# service_url: icap://servername:port/servicepath +# ICAP server and service location. +# +# ICAP does not allow a single service to handle both REQMOD and RESPMOD +# transactions. Squid does not enforce that requirement. You can specify +# services with the same service_url and different vectoring_points. You +# can even specify multiple identical services as long as their +# service_names differ. +# +# +# Service options are separated by white space. ICAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the ICAP service is treated as +# optional. If the service cannot be reached or malfunctions, +# Squid will try to ignore any errors and process the message as +# if the service was not enabled. No all ICAP errors can be +# bypassed. If set to 0, the ICAP service is treated as +# essential and all ICAP errors will result in an error page +# returned to the HTTP client. +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the ICAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. The services +# are specified using the X-Next-Services ICAP response header +# value, formatted as a comma-separated list of service names. +# Each named service should be configured in squid.conf and +# should have the same method and vectoring point as the current +# ICAP transaction. Services violating these rules are ignored. +# An empty X-Next-Services value results in an empty plan which +# ends the current adaptation. +# +# Routing is not allowed by default: the ICAP X-Next-Services +# response header is ignored. +# +# Older icap_service format without optional named parameters is +# deprecated but supported for backward compatibility. # #Example: -#icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod -#icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod -# +#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod +#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod #Default: # none # TAG: icap_class # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define +# --enable-icap-client option # -# Defines an ICAP service chain. Eventually, multiple services per -# vectoring point will be supported. For now, please specify a single -# service per class: -# -# icap_class classname servicename -# -#Example: -#icap_class class_1 service_1 -#icap class class_2 service_1 -#icap class class_3 service_3 +# This deprecated option was documented to define an ICAP service +# chain, even though it actually defined a set of similar, redundant +# services, and the chains were not supported. # +# To define a set of redundant services, please use the +# adaptation_service_set directive. For service chains, use +# adaptation_service_chain. #Default: # none # TAG: icap_access # Note: This option is only available if Squid is rebuilt with the -# -DICAP_CLIENT define -# -# Redirects a request through an ICAP service class, depending -# on given acls -# -# icap_access classname allow|deny [!]aclname... -# -# The icap_access statements are processed in the order they appear in -# this configuration file. If an access list matches, the processing stops. -# For an "allow" rule, the specified class is used for the request. A "deny" -# rule simply stops processing without using the class. You can also use the -# special classname "None". -# -# For backward compatibility, it is also possible to use services -# directly here. -#Example: -#icap_access class_1 allow all +# --enable-icap-client option # +# This option is deprecated. Please use adaptation_access, which +# has the same ICAP functionality, but comes with better +# documentation, and eCAP support. #Default: # none +# eCAP OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: ecap_enable on|off +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap option +# +# Controls whether eCAP support is enabled. +#Default: +# ecap_enable off + +# TAG: ecap_service +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap option +# +# Defines a single eCAP service +# +# ecap_service servicename vectoring_point bypass service_url +# +# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# This specifies at which point of transaction processing the +# eCAP service should be activated. *_postcache vectoring points +# are not yet supported. +# bypass = 1|0 +# If set to 1, the eCAP service is treated as optional. If the +# service cannot be reached or malfunctions, Squid will try to +# ignore any errors and process the message as if the service +# was not enabled. No all eCAP errors can be bypassed. +# If set to 0, the eCAP service is treated as essential and all +# eCAP errors will result in an error page returned to the +# HTTP client. +# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +#Example: +#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block +#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#Default: +# none + +# TAG: loadable_modules +# Instructs Squid to load the specified dynamic module(s) or activate +# preloaded module(s). +#Example: +#loadable_modules /usr/lib/MinimalAdapter.so +#Default: +# none + +# MESSAGE ADAPTATION OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: adaptation_service_set +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client option +# +# +# Configures an ordered set of similar, redundant services. This is +# useful when hot standby or backup adaptation servers are available. +# +# adaptation_service_set set_name service_name1 service_name2 ... +# +# The named services are used in the set declaration order. The first +# applicable adaptation service from the set is used first. The next +# applicable service is tried if and only if the transaction with the +# previous service fails and the message waiting to be adapted is still +# intact. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the set. A broken service is a down optional service. +# +# The services in a set must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# If all services in a set are optional then adaptation failures are +# bypassable. If all services in the set are essential, then a +# transaction failure with one service may still be retried using +# another service from the set, but when all services fail, the master +# transaction fails as well. +# +# A set may contain a mix of optional and essential services, but that +# is likely to lead to surprising results because broken services become +# ignored (see above), making previously bypassable failures fatal. +# Technically, it is the bypassability of the last failed service that +# matters. +# +# See also: adaptation_access adaptation_service_chain +# +#Example: +#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +#adaptation service_set svcLogger loggerLocal loggerRemote +#Default: +# none + +# TAG: adaptation_service_chain +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client option +# +# +# Configures a list of complementary services that will be applied +# one-by-one, forming an adaptation chain or pipeline. This is useful +# when Squid must perform different adaptations on the same message. +# +# adaptation_service_chain chain_name service_name1 svc_name2 ... +# +# The named services are used in the chain declaration order. The first +# applicable adaptation service from the chain is used first. The next +# applicable service is applied to the successful adaptation results of +# the previous service in the chain. +# +# When adaptation starts, broken services are ignored as if they were +# not a part of the chain. A broken service is a down optional service. +# +# Request satisfaction terminates the adaptation chain because Squid +# does not currently allow declaration of RESPMOD services at the +# "reqmod_precache" vectoring point (see icap_service or ecap_service). +# +# The services in a chain must be attached to the same vectoring point +# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). +# +# A chain may contain a mix of optional and essential services. If an +# essential adaptation fails (or the failure cannot be bypassed for +# other reasons), the master transaction fails. Otherwise, the failure +# is bypassed as if the failed adaptation service was not in the chain. +# +# See also: adaptation_access adaptation_service_set +# +#Example: +#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +#Default: +# none + +# TAG: adaptation_access +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client option +# +# Sends an HTTP transaction to an ICAP or eCAP adaptation service. +# +# adaptation_access service_name allow|deny [!]aclname... +# adaptation_access set_name allow|deny [!]aclname... +# +# At each supported vectoring point, the adaptation_access +# statements are processed in the order they appear in this +# configuration file. Statements pointing to the following services +# are ignored (i.e., skipped without checking their ACL): +# +# - services serving different vectoring points +# - "broken-but-bypassable" services +# - "up" services configured to ignore such transactions +# (e.g., based on the ICAP Transfer-Ignore header). +# +# When a set_name is used, all services in the set are checked +# using the same rules, to find the first applicable one. See +# adaptation_service_set for details. +# +# If an access list is checked and there is a match, the +# processing stops: For an "allow" rule, the corresponding +# adaptation service is used for the transaction. For a "deny" +# rule, no adaptation service is activated. +# +# It is currently not possible to apply more than one adaptation +# service at the same vectoring point to the same HTTP transaction. +# +# See also: icap_service and ecap_service +# +#Example: +#adaptation_access service_1 allow all +#Default: +# none + +# TAG: adaptation_service_iteration_limit +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client option +# +# Limits the number of iterations allowed when applying adaptation +# services to a message. If your longest adaptation set or chain +# may have more than 16 services, increase the limit beyond its +# default value of 16. If detecting infinite iteration loops sooner +# is critical, make the iteration limit match the actual number +# of services in your longest adaptation set or chain. +# +# Infinite adaptation loops are most likely with routing services. +# +# See also: icap_service routing=1 +#Default: +# adaptation_service_iteration_limit 16 + +# TAG: adaptation_masterx_shared_names +# Note: This option is only available if Squid is rebuilt with the +# --enable-ecap or --enable-icap-client option +# +# For each master transaction (i.e., the HTTP request and response +# sequence, including all related ICAP and eCAP exchanges), Squid +# maintains a table of metadata. The table entries are (name, value) +# pairs shared among eCAP and ICAP exchanges. The table is destroyed +# with the master transaction. +# +# This option specifies the table entry names that Squid must accept +# from and forward to the adaptation transactions. +# +# An ICAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by returning an ICAP header field with a name +# specified in adaptation_masterx_shared_names. Squid will store +# and forward that ICAP header field to subsequent ICAP +# transactions within the same master transaction scope. +# +# Only one shared entry name is supported at this time. +# +#Example: +## share authentication information among ICAP services +#adaptation_masterx_shared_names X-Subscriber-ID +#Default: +# none + +# TAG: icap_retry +# Note: This option is only available if Squid is rebuilt with the +# --enable-icap-client option +# +# This ACL determines which retriable ICAP transactions are +# retried. Transactions that received a complete ICAP response +# and did not have to consume or produce HTTP bodies to receive +# that response are usually retriable. +# +# icap_retry allow|deny [!]aclname ... +# +# Squid automatically retries some ICAP I/O timeouts and errors +# due to persistent connection race conditions. +# +# See also: icap_retry_limit +#Default: +# icap_retry deny all + +# TAG: icap_retry_limit +# Note: This option is only available if Squid is rebuilt with the +# --enable-icap-client option +# +# Limits the number of retries allowed. When set to zero (default), +# no retries are allowed. +# +# Communication errors due to persistent connection race +# conditions are unavoidable, automatically retried, and do not +# count against this limit. +# +# See also: icap_retry +#Default: +# icap_retry_limit 0 # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -4302,7 +5223,6 @@ icp_port 3130 # For security and stability reasons Squid can check # hostnames for Internet standard RFC compliance. If you want # Squid to perform these checks turn this directive on. -# #Default: # check_hostnames off @@ -4311,7 +5231,6 @@ icp_port 3130 # but nevertheless used by many sites. Set this to off if you want # Squid to be strict about the standard. # This check is performed only when check_hostnames is set to on. -# #Default: # allow_underscore on @@ -4320,7 +5239,6 @@ icp_port 3130 # --disable-internal-dns option # # Specify the location of the executable for dnslookup process. -# #Default: # cache_dns_program /usr/libexec/dnsserver @@ -4334,7 +5252,6 @@ icp_port 3130 # is 32. The default is 5. # # You must have at least one dnsserver process. -# #Default: # dns_children 5 @@ -4342,7 +5259,6 @@ icp_port 3130 # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. # -# #Default: # dns_retransmit_interval 5 seconds @@ -4350,7 +5266,6 @@ icp_port 3130 # DNS Query timeout. If no response is received to a DNS query # within this time all DNS servers for the queried domain # are assumed to be unavailable. -# #Default: # dns_timeout 2 minutes @@ -4359,7 +5274,6 @@ icp_port 3130 # (see res_init(3)). This prevents caches in a hierarchy # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. -# #Default: # dns_defnames off @@ -4373,7 +5287,6 @@ icp_port 3130 # configurations are supported. # # Example: dns_nameservers 10.0.0.1 192.172.0.4 -# #Default: # none @@ -4400,18 +5313,9 @@ icp_port 3130 # If append_domain is used, that domain will be added to # domain-local (i.e. not containing any dot character) host # definitions. -# #Default: # hosts_file /etc/hosts -# TAG: dns_testnames -# The DNS tests exit as soon as the first site is successfully looked up -# -# This test can be disabled with the -D command line option. -# -#Default: -# dns_testnames netscape.com internic.net nlanr.net microsoft.com - # TAG: append_domain # Appends local domain name to hostnames without any dots in # them. append_domain must begin with a period. @@ -4422,7 +5326,6 @@ icp_port 3130 # #Example: # append_domain .yourdomain.com -# #Default: # none @@ -4432,15 +5335,30 @@ icp_port 3130 # don't match, Squid ignores the response and writes a warning # message to cache.log. You can allow responses from unknown # nameservers by setting this option to 'off'. -# #Default: # ignore_unknown_nameservers on +# TAG: dns_v4_fallback +# Standard practice with DNS is to lookup either A or AAAA records +# and use the results if it succeeds. Only looking up the other if +# the first attempt fails or otherwise produces no results. +# +# That policy however will cause squid to produce error pages for some +# servers that advertise AAAA but are unreachable over IPv6. +# +# If this is ON squid will always lookup both AAAA and A, using both. +# If this is OFF squid will lookup AAAA and only try A if none found. +# +# WARNING: There are some possibly unwanted side-effects with this on: +# *) Doubles the load placed by squid on the DNS network. +# *) May negatively impact connection delay times. +#Default: +# dns_v4_fallback on + # TAG: ipcache_size (number of entries) # TAG: ipcache_low (percent) # TAG: ipcache_high (percent) # The size, low-, and high-water marks for the IP cache. -# #Default: # ipcache_size 1024 # ipcache_low 90 @@ -4448,11 +5366,9 @@ icp_port 3130 # TAG: fqdncache_size (number of entries) # Maximum number of FQDN cache entries. -# #Default: # fqdncache_size 1024 - # MISCELLANEOUS # ----------------------------------------------------------------------------- @@ -4461,7 +5377,6 @@ icp_port 3130 # available for future use. If memory is a premium on your # system and you believe your malloc library outperforms Squid # routines, disable this. -# #Default: # memory_pools on @@ -4477,31 +5392,37 @@ icp_port 3130 # memory_pools_limit to a reasonably high value even if your # configuration will use less memory. # -# If set to zero, Squid will keep all memory it can. That is, there +# If set to none, Squid will keep all memory it can. That is, there # will be no limit on the total amount of memory used for safe-keeping. # # To disable memory allocation optimization, do not set -# memory_pools_limit to 0. Set memory_pools to "off" instead. +# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. # # An overhead for maintaining memory pools is not taken into account # when the limit is checked. This overhead is close to four bytes per # object kept. However, pools may actually _save_ memory because of # reduced memory thrashing in your malloc library. -# #Default: # memory_pools_limit 5 MB -# TAG: forwarded_for on|off -# If set, Squid will include your system's IP address or name -# in the HTTP requests it forwards. By default it looks like -# this: +# TAG: forwarded_for on|off|transparent|truncate|delete +# If set to "on", Squid will append your client's IP address +# in the HTTP requests it forwards. By default it looks like: # # X-Forwarded-For: 192.1.2.3 # -# If you disable this, it will appear as +# If set to "off", it will appear as # # X-Forwarded-For: unknown # +# If set to "transparent", Squid will not alter the +# X-Forwarded-For header in any way. +# +# If set to "delete", Squid will delete the entire +# X-Forwarded-For header. +# +# If set to "truncate", Squid will remove all existing +# X-Forwarded-For entries, and place itself as the sole entry. #Default: # forwarded_for on @@ -4539,6 +5460,7 @@ icp_port 3130 # offline_toggle * # pconn # peer_select +# reconfigure * # redirector # refresh # server_list @@ -4562,14 +5484,12 @@ icp_port 3130 # cachemgr_passwd secret shutdown # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all -# #Default: # none # TAG: client_db on|off # If you want to disable collecting per-client statistics, # turn off client_db here. -# #Default: # client_db on @@ -4582,7 +5502,6 @@ icp_port 3130 # # By default (off), squid may return a Not Modified response # based on the age of the cached version. -# #Default: # refresh_all_ims off @@ -4594,7 +5513,6 @@ icp_port 3130 # causes. # # see also refresh_pattern for a more selective approach. -# #Default: # reload_into_ims off @@ -4609,7 +5527,6 @@ icp_port 3130 # # Note: This is in addition to the request re-forwarding which # takes place if Squid fails to get a satisfying response. -# #Default: # maximum_single_addr_tries 1 @@ -4618,14 +5535,12 @@ icp_port 3130 # receiving an error response. This is mainly useful if you # are in a complex cache hierarchy to work around access # control errors. -# #Default: # retry_on_error off # TAG: as_whois_server # WHOIS server to query for AS numbers. NOTE: AS numbers are # queried only when Squid starts up, not for every request. -# #Default: # as_whois_server whois.ra.net # as_whois_server whois.ra.net @@ -4633,7 +5548,6 @@ icp_port 3130 # TAG: offline_mode # Enable this option and Squid will never try to validate cached # objects. -# #Default: # offline_mode off @@ -4656,42 +5570,30 @@ icp_port 3130 # chop: The request is allowed and the URI is chopped at the # first whitespace. This might also be considered a # violation. -# #Default: # uri_whitespace strip -# TAG: coredump_dir -# By default Squid leaves core files in the directory from where -# it was started. If you set 'coredump_dir' to a directory -# that exists, Squid will chdir() to that directory at startup -# and coredump files will be left there. -# -#Default: -# coredump_dir none -# -# Leave coredumps in the first cache dir -coredump_dir /var/log/squid - # TAG: chroot -# Use this to have Squid do a chroot() while initializing. This -# also causes Squid to fully drop root privileges after -# initializing. This means, for example, if you use a HTTP -# port less than 1024 and try to reconfigure, you will may get an -# error saying that Squid can not open the port. -# +# Specifies a directory where Squid should do a chroot() while +# initializing. This also causes Squid to fully drop root +# privileges after initializing. This means, for example, if you +# use a HTTP port less than 1024 and try to reconfigure, you may +# get an error saying that Squid can not open the port. #Default: # none # TAG: balance_on_multiple_ip +# Modern IP resolvers in squid sort lookup results by preferred access. +# By default squid will use these IP in order and only rotates to +# the next listed when the most preffered fails. +# # Some load balancing servers based on round robin DNS have been # found not to preserve user session state across requests # to different IP addresses. # -# By default Squid rotates IP's per request. By disabling -# this directive only connection failure triggers rotation. -# +# Enabling this directive Squid rotates IP's per request. #Default: -# balance_on_multiple_ip on +# balance_on_multiple_ip off # TAG: pipeline_prefetch # To boost the performance of pipelined requests to closer @@ -4700,7 +5602,6 @@ coredump_dir /var/log/squid # # Defaults to off for bandwidth management and access logging # reasons. -# #Default: # pipeline_prefetch off @@ -4708,7 +5609,6 @@ coredump_dir /var/log/squid # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. -# #Default: # high_response_time_warning 0 @@ -4717,7 +5617,6 @@ coredump_dir /var/log/squid # value, Squid prints a WARNING with debug level 0 to get # the administrators attention. The value is in page faults # per second. -# #Default: # high_page_fault_warning 0 @@ -4725,7 +5624,6 @@ coredump_dir /var/log/squid # If the memory usage (as determined by mallinfo) exceeds # this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. -# #Default: # high_memory_warning 0 KB @@ -4740,7 +5638,26 @@ coredump_dir /var/log/squid # until all the child processes have been started. # On Windows value less then 1000 (1 milliseconds) are # rounded to 1000. -# #Default: # sleep_after_fork 0 +# TAG: windows_ipaddrchangemonitor on|off +# On Windows Squid by default will monitor IP address changes and will +# reconfigure itself after any detected event. This is very useful for +# proxies connected to internet with dial-up interfaces. +# In some cases (a Proxy server acting as VPN gateway is one) it could be +# desiderable to disable this behaviour setting this to 'off'. +# Note: after changing this, Squid service must be restarted. +#Default: +# windows_ipaddrchangemonitor on + +# TAG: max_filedescriptors +# The maximum number of filedescriptors supported. +# +# The default "0" means Squid inherits the current ulimit setting. +# +# Note: Changing this requires a restart of Squid. Also +# not all comm loops supports large values. +#Default: +# max_filedescriptors 0 + diff --git a/network/squid/squid.info b/network/squid/squid.info index 3060b47a90..556255bd1f 100644 --- a/network/squid/squid.info +++ b/network/squid/squid.info @@ -1,10 +1,10 @@ PRGNAM="squid" -VERSION="3.0.STABLE24" +VERSION="3.1.6" HOMEPAGE="http://www.squid-cache.org/" -DOWNLOAD="http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE24.tar.bz2" -MD5SUM="325c8977b64397666bf538d54bb6f128" +DOWNLOAD="http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.6.tar.bz2" +MD5SUM="e9e2e9a9b5a305ba717be93ebb85f245" DOWNLOAD_x86_64="" MD5SUM_x86_64="" MAINTAINER="David Somero" EMAIL="dsomero@hotmail.com" -APPROVED="Erik Hanson" +APPROVED="Michiel"