diff -ruN squid-2.6.STABLE15/ChangeLog squid-2.6.STABLE16/ChangeLog
--- squid-2.6.STABLE15/ChangeLog Fri Aug 31 08:48:33 2007
+++ squid-2.6.STABLE16/ChangeLog Wed Sep 5 16:06:14 2007
@@ -1,3 +1,19 @@
+Changes to squid-2.6.STABLE16 (5 Sep 2007)
+
+ - Test for sys/capability.h linux include file to avoid failing on
+ linux systems missing libcap
+ - Release private objects on cache rebuild
+ - Segfault in clientBuildReplyHeader when http->entry == NULL
+ - Bug #2072: digest_pw_auth fails when using plaintext passwords
+ - Bug #2073: assertion failed: client_side.c:4175: "buf != NULL ||
+ !conn->body.request on POST
+ - Adjust default pconn timeouts to avoid shutting down connection while
+ child sends request
+ - Bug #1980: cache_peer monitortimeout not working
+ - Bug #1882: Parent responses are not cached if sibling returns 504
+ - More squid.conf reordering to get the dependencies between options
+ sorted proper
+
Changes to squid-2.6.STABLE15 (31 Aug 2007)
- The select() I/O loop got broken by the /dev/poll addition
diff -ruN squid-2.6.STABLE15/RELEASENOTES.html squid-2.6.STABLE16/RELEASENOTES.html
--- squid-2.6.STABLE15/RELEASENOTES.html Fri Aug 31 08:55:49 2007
+++ squid-2.6.STABLE16/RELEASENOTES.html Wed Sep 5 16:26:15 2007
@@ -2,12 +2,12 @@
- Squid 2.6.STABLE15 release notes
+ Squid 2.6.STABLE16 release notes
-Squid 2.6.STABLE15 release notes
+Squid 2.6.STABLE16 release notes
-Squid Developers
$Id: release-2.6.html,v 1.44.2.11 2007/08/31 14:53:26 hno Exp $
+Squid Developers
$Id: release-2.6.html,v 1.44.2.13 2007/09/05 22:25:23 hno Exp $
This document contains the release notes for version 2.6 of Squid.
Squid is a WWW Cache application developed by the Web Caching community.
@@ -72,6 +72,9 @@
+
+
+
@@ -720,6 +723,22 @@
Bug #2066: chdir after chroot
See also the list of
squid-2.6.STABLE15 changes and the
+ChangeLog file for details.
+
+
+
+
+
+
+
+- Bug #2073: assertion failed: client_side.c:4175: "buf != NULL ||
+!conn->body.request on POST
+- Test for sys/capability.h linux include file to avoid failing on
+linux systems missing libcap
+- More squid.conf reordering to get the dependencies between options
+sorted proper
+- See also the list of
+squid-2.6.STABLE16 changes and the
ChangeLog file for details.
diff -ruN squid-2.6.STABLE15/configure squid-2.6.STABLE16/configure
--- squid-2.6.STABLE15/configure Fri Aug 31 08:55:13 2007
+++ squid-2.6.STABLE16/configure Wed Sep 5 16:25:42 2007
@@ -1,7 +1,7 @@
#! /bin/sh
-# From configure.in Revision: 1.416.2.18 .
+# From configure.in Revision: 1.416.2.20 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE15.
+# Generated by GNU Autoconf 2.61 for Squid Web Proxy 2.6.STABLE16.
#
# Report bugs to .
#
@@ -575,8 +575,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='2.6.STABLE15'
-PACKAGE_STRING='Squid Web Proxy 2.6.STABLE15'
+PACKAGE_VERSION='2.6.STABLE16'
+PACKAGE_STRING='Squid Web Proxy 2.6.STABLE16'
PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
ac_default_prefix=/usr/local/squid
@@ -1314,7 +1314,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 2.6.STABLE15 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 2.6.STABLE16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1384,7 +1384,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE15:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE16:";;
esac
cat <<\_ACEOF
@@ -1662,7 +1662,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 2.6.STABLE15
+Squid Web Proxy configure 2.6.STABLE16
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1676,7 +1676,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 2.6.STABLE15, which was
+It was created by Squid Web Proxy $as_me 2.6.STABLE16, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -2349,7 +2349,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='2.6.STABLE15'
+ VERSION='2.6.STABLE16'
cat >>confdefs.h <<_ACEOF
@@ -8014,6 +8014,7 @@
+
for ac_header in sys/types.h \
stddef.h \
limits.h \
@@ -8095,6 +8096,7 @@
db.h \
db_185.h \
aio.h \
+ sys/capability.h \
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
@@ -27274,7 +27276,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 2.6.STABLE15, which was
+This file was extended by Squid Web Proxy $as_me 2.6.STABLE16, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -27327,7 +27329,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-Squid Web Proxy config.status 2.6.STABLE15
+Squid Web Proxy config.status 2.6.STABLE16
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -ruN squid-2.6.STABLE15/configure.in squid-2.6.STABLE16/configure.in
--- squid-2.6.STABLE15/configure.in Fri Aug 31 08:55:13 2007
+++ squid-2.6.STABLE16/configure.in Wed Sep 5 16:25:42 2007
@@ -1,16 +1,16 @@
dnl
dnl Configuration input file for Squid
dnl
-dnl $Id: configure.in,v 1.416.2.18 2007/08/31 14:48:33 hno Exp $
+dnl $Id: configure.in,v 1.416.2.20 2007/09/05 22:06:14 hno Exp $
dnl
dnl
dnl
-AC_INIT(Squid Web Proxy, 2.6.STABLE15, http://www.squid-cache.org/bugs/, squid)
+AC_INIT(Squid Web Proxy, 2.6.STABLE16, http://www.squid-cache.org/bugs/, squid)
AC_PREREQ(2.52)
AM_CONFIG_HEADER(include/autoconf.h)
AC_CONFIG_AUX_DIR(cfgaux)
AM_INIT_AUTOMAKE
-AC_REVISION($Revision: 1.416.2.18 $)dnl
+AC_REVISION($Revision: 1.416.2.20 $)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE
@@ -1665,6 +1665,7 @@
db.h \
db_185.h \
aio.h \
+ sys/capability.h \
,,,[
#if HAVE_SYS_TYPES_H
#include
diff -ruN squid-2.6.STABLE15/helpers/digest_auth/password/text_backend.c squid-2.6.STABLE16/helpers/digest_auth/password/text_backend.c
--- squid-2.6.STABLE15/helpers/digest_auth/password/text_backend.c Mon May 15 19:21:29 2006
+++ squid-2.6.STABLE16/helpers/digest_auth/password/text_backend.c Sun Sep 2 20:45:38 2007
@@ -99,7 +99,7 @@
fprintf(stderr, "digest_pw_auth: ignoring invalid password for %s\n", user);
continue;
}
- u = xmalloc(sizeof(*u));
+ u = xcalloc(1, sizeof(*u));
if (realm) {
int len = strlen(user) + strlen(realm) + 2;
u->hash.key = malloc(len);
diff -ruN squid-2.6.STABLE15/include/autoconf.h.in squid-2.6.STABLE16/include/autoconf.h.in
--- squid-2.6.STABLE15/include/autoconf.h.in Sun Aug 12 06:41:06 2007
+++ squid-2.6.STABLE16/include/autoconf.h.in Sat Sep 1 18:14:59 2007
@@ -493,6 +493,9 @@
/* Define to 1 if you have the header file. */
#undef HAVE_SYS_BITYPES_H
+/* Define to 1 if you have the header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
/* Define to 1 if you have the header file, and it defines `DIR'.
*/
#undef HAVE_SYS_DIR_H
diff -ruN squid-2.6.STABLE15/include/version.h squid-2.6.STABLE16/include/version.h
--- squid-2.6.STABLE15/include/version.h Fri Aug 31 08:55:13 2007
+++ squid-2.6.STABLE16/include/version.h Wed Sep 5 16:25:42 2007
@@ -9,5 +9,5 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1188572108
+#define SQUID_RELEASE_TIME 1189031137
#endif
diff -ruN squid-2.6.STABLE15/src/Makefile.am squid-2.6.STABLE16/src/Makefile.am
--- squid-2.6.STABLE15/src/Makefile.am Fri Jun 22 06:07:35 2007
+++ squid-2.6.STABLE16/src/Makefile.am Wed Sep 5 15:50:15 2007
@@ -1,7 +1,7 @@
#
# Makefile for the Squid Object Cache server
#
-# $Id: Makefile.am,v 1.56.2.2 2007/06/22 12:07:35 adrian Exp $
+# $Id: Makefile.am,v 1.56.2.3 2007/09/05 21:50:15 hno Exp $
#
# Uncomment and customize the following to suit your needs:
#
@@ -310,6 +310,7 @@
EXTRA_DIST = \
cf_gen_defines \
cf.data.pre \
+ cf.data.depend \
mk-globals-c.pl \
mk-string-arrays.pl \
auth_modules.sh \
@@ -359,11 +360,12 @@
## If autodependency works well this is not needed anymore
cache_cf.o: cf_parser.h
+# squid.conf.default is built by cf_gen when making cf_parser.h
squid.conf.default: cf_parser.h
- $(SHELL) -c "test -f squid.conf.default || ./cf_gen cf.data"
+ true
cf_parser.h: cf.data cf_gen$(EXEEXT)
- ./cf_gen cf.data
+ ./cf_gen cf.data $(srcdir)/cf.data.depend
cf_gen_defines.h: $(srcdir)/cf_gen_defines $(srcdir)/cf.data.pre
awk -f $(srcdir)/cf_gen_defines <$(srcdir)/cf.data.pre >cf_gen_defines.h
diff -ruN squid-2.6.STABLE15/src/Makefile.in squid-2.6.STABLE16/src/Makefile.in
--- squid-2.6.STABLE15/src/Makefile.in Sun Aug 12 06:41:07 2007
+++ squid-2.6.STABLE16/src/Makefile.in Wed Sep 5 15:57:25 2007
@@ -17,7 +17,7 @@
#
# Makefile for the Squid Object Cache server
#
-# $Id: Makefile.in,v 1.281.2.3 2007/08/12 12:41:07 hno Exp $
+# $Id: Makefile.in,v 1.281.2.5 2007/09/05 21:57:25 hno Exp $
#
# Uncomment and customize the following to suit your needs:
#
@@ -610,6 +610,7 @@
EXTRA_DIST = \
cf_gen_defines \
cf.data.pre \
+ cf.data.depend \
mk-globals-c.pl \
mk-string-arrays.pl \
auth_modules.sh \
@@ -1221,11 +1222,12 @@
cache_cf.o: cf_parser.h
+# squid.conf.default is built by cf_gen when making cf_parser.h
squid.conf.default: cf_parser.h
- $(SHELL) -c "test -f squid.conf.default || ./cf_gen cf.data"
+ true
cf_parser.h: cf.data cf_gen$(EXEEXT)
- ./cf_gen cf.data
+ ./cf_gen cf.data $(srcdir)/cf.data.depend
cf_gen_defines.h: $(srcdir)/cf_gen_defines $(srcdir)/cf.data.pre
awk -f $(srcdir)/cf_gen_defines <$(srcdir)/cf.data.pre >cf_gen_defines.h
diff -ruN squid-2.6.STABLE15/src/cf.data.depend squid-2.6.STABLE16/src/cf.data.depend
--- squid-2.6.STABLE15/src/cf.data.depend Wed Dec 31 17:00:00 1969
+++ squid-2.6.STABLE16/src/cf.data.depend Wed Sep 5 15:50:15 2007
@@ -0,0 +1,54 @@
+# type dependencies
+access_log acl logformat
+acl external_acl_type auth_param
+acl_access acl
+acl_address acl
+acl_b_size_t acl
+acl_tos acl
+address
+authparam
+b_int64_t
+b_size_t
+cachedir cache_replacement_policy
+cachemgrpasswd
+debug
+delay_pool_access acl delay_class
+delay_pool_class delay_pools
+delay_pool_count
+delay_pool_rates delay_class
+denyinfo acl
+eol
+externalAclHelper auth_param
+hostdomain cache_peer
+hostdomaintype cache_peer
+http_header_access
+http_header_replace
+http_port_list
+https_port_list
+icap_access_type icap_class acl
+icap_class_type icap_service
+icap_service_type
+int
+kb_int64_t
+kb_size_t
+logformat
+onoff
+peer
+peer_access cache_peer acl
+refreshpattern
+removalpolicy
+size_t
+sockaddr_in_list
+string
+string
+time_t
+tristate
+uri_whitespace
+ushort
+wccp2_service
+wccp2_service_info
+wordlist
+body_size_t acl
+programline
+extension_method
+errormap
diff -ruN squid-2.6.STABLE15/src/cf.data.pre squid-2.6.STABLE16/src/cf.data.pre
--- squid-2.6.STABLE15/src/cf.data.pre Tue Aug 21 18:14:30 2007
+++ squid-2.6.STABLE16/src/cf.data.pre Wed Sep 5 15:50:15 2007
@@ -1,6 +1,6 @@
#
-# $Id: cf.data.pre,v 1.382.2.12 2007/08/22 00:14:30 hno Exp $
+# $Id: cf.data.pre,v 1.382.2.14 2007/09/05 21:50:15 hno Exp $
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
# ----------------------------------------------------------
@@ -48,3269 +48,3291 @@
COMMENT_END
COMMENT_START
- NETWORK OPTIONS
+ OPTIONS FOR AUTHENTICATION
-----------------------------------------------------------------------------
COMMENT_END
-NAME: http_port ascii_port
-TYPE: http_port_list
+NAME: auth_param
+TYPE: authparam
+LOC: Config.authConfig
DEFAULT: none
-LOC: Config.Sockaddr.http
DOC_START
- Usage: port [options]
- hostname:port [options]
- 1.2.3.4:port [options]
-
- The socket addresses where Squid will listen for HTTP client
- requests. You may specify multiple socket addresses.
- There are three forms: port alone, hostname with port, and
- IP address with port. If you specify a hostname or IP
- address, Squid binds the socket to that specific
- address. This replaces the old 'tcp_incoming_address'
- option. Most likely, you do not need to bind to a specific
- address, so you can use the port number alone.
+ This is used to define parameters for the various authentication
+ schemes supported by Squid.
- If you are running Squid in accelerator mode, you
- probably want to listen on port 80 also, or instead.
+ format: auth_param scheme parameter [setting]
- You may specify multiple socket addresses on multiple lines.
+ The order in which authentication schemes are presented to the client is
+ dependent on the order the scheme first appears in config file. IE
+ has a bug (it's not RFC 2617 compliant) in that it will use the basic
+ scheme if basic is the first entry presented, even if more secure
+ schemes are presented. For now use the order in the recommended
+ settings section below. If other browsers have difficulties (don't
+ recognize the schemes offered even if you are using basic) either
+ put basic first, or disable the other schemes (by commenting out their
+ program entry).
- Options:
+ Once an authentication scheme is fully configured, it can only be
+ shutdown by shutting squid down and restarting. Changes can be made on
+ the fly and activated with a reconfigure. I.E. You can change to a
+ different helper, but not unconfigure the helper completely.
- transparent Support for transparent interception of
- outgoing requests without browser settings.
+ Please note that while this directive defines how Squid processes
+ authentication it does not automatically activate authentication.
+ To use authentication you must in addition make use of ACLs based
+ on login name in http_access (proxy_auth, proxy_auth_regex or
+ external with %LOGIN used in the format tag). The browser will be
+ challenged for authentication on the first such acl encountered
+ in http_access processing and will also be re-challenged for new
+ login credentials if the request is being denied by a proxy_auth
+ type acl.
- tproxy Support Linux TPROXY for spoofing outgoing
- connections using the client IP address.
+ WARNING: authentication can't be used in a transparently intercepting
+ proxy as the client then thinks it is talking to an origin server and
+ not the proxy. This is a limitation of bending the TCP/IP protocol to
+ transparently intercepting port 80, not a limitation in Squid.
- accel Accelerator mode. Also needs at least one
- of vhost/vport/defaultsite.
+ === Parameters for the basic scheme follow. ===
- defaultsite=domainname
- What to use for the Host: header if it is not present
- in a request. Determines what site (not origin server)
- accelerators should consider the default.
- Implies accel.
+ "program" cmdline
+ Specify the command for the external authenticator. Such a program
+ reads a line containing "username password" and replies "OK" or
+ "ERR" in an endless loop. "ERR" responses may optionally be followed
+ by a error description available as %m in the returned error page.
- vhost Accelerator mode using Host header for virtual
- domain support. Implies accel.
+ By default, the basic authentication scheme is not used unless a
+ program is specified.
- vport Accelerator with IP based virtual host support.
- Implies accel.
+ If you want to use the traditional proxy authentication, jump over to
+ the helpers/basic_auth/NCSA directory and type:
+ % make
+ % make install
- vport=NN As above, but uses specified port number rather
- than the http_port number. Implies accel.
+ Then, set this line to something like
- urlgroup= Default urlgroup to mark requests with (see
- also acl urlgroup and url_rewrite_program)
+ auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http.
+ "children" numberofchildren
+ The number of authenticator processes to spawn. If you start too few
+ squid will have to wait for them to process a backlog of credential
+ verifications, slowing it down. When credential verifications are
+ done via a (slow) network you are likely to need lots of
+ authenticator processes.
+ auth_param basic children 5
- no-connection-auth
- Prevent forwarding of Microsoft connection oriented
- authentication (NTLM, Negotiate and Kerberos)
+ "concurrency" numberofconcurrentrequests
+ The number of concurrent requests/channels the helper supports.
+ Changes the protocol used to include a channel number first on
+ the request/response line, allowing multiple requests to be sent
+ to the same helper in parallell without wating for the response.
+ Must not be set unless it's known the helper supports this.
- If you run Squid on a dual-homed machine with an internal
- and an external interface we recommend you to specify the
- internal address:port in http_port. This way Squid will only be
- visible on the internal address.
+ "realm" realmstring
+ Specifies the realm name which is to be reported to the client for
+ the basic proxy authentication scheme (part of the text the user
+ will see when prompted their username and password).
+ auth_param basic realm Squid proxy-caching web server
-NOCOMMENT_START
-# Squid normally listens to port 3128
-http_port @DEFAULT_HTTP_PORT@
-NOCOMMENT_END
-DOC_END
+ "credentialsttl" timetolive
+ Specifies how long squid assumes an externally validated
+ username:password pair is valid for - in other words how often the
+ helper program is called for that user. Set this low to force
+ revalidation with short lived passwords. Note that setting this high
+ does not impact your susceptibility to replay attacks unless you are
+ using an one-time password system (such as SecureID). If you are using
+ such a system, you will be vulnerable to replay attacks unless you
+ also use the max_user_ip ACL in an http_access rule.
+ auth_param basic credentialsttl 2 hours
-NAME: https_port
-IFDEF: USE_SSL
-TYPE: https_port_list
-DEFAULT: none
-LOC: Config.Sockaddr.https
-DOC_START
- Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
+ "casesensitive" on|off
+ Specifies if usernames are case sensitive. Most user databases are
+ case insensitive allowing the same username to be spelled using both
+ lower and upper case letters, but some are case sensitive. This
+ makes a big difference for user_max_ip ACL processing and similar.
+ auth_param basic casesensitive off
- The socket address where Squid will listen for HTTPS client
- requests.
+ "blankpassword" on|off
+ Specifies if blank passwords should be supported. Defaults to off
+ as there is multiple authentication backends which handles blank
+ passwords as "guest" access.
- This is really only useful for situations where you are running
- squid in accelerator mode and you want to do the SSL work at the
- accelerator level.
+ === Parameters for the digest scheme follow ===
- You may specify multiple socket addresses on multiple lines,
- each with their own SSL certificate and/or options.
+ "program" cmdline
+ Specify the command for the external authenticator. Such a program
+ reads a line containing "username":"realm" and replies with the
+ appropriate H(A1) value hex encoded or ERR if the user (or his H(A1)
+ hash) does not exists. See RFC 2616 for the definition of H(A1).
+ "ERR" responses may optionally be followed by a error description
+ available as %m in the returned error page.
- Options:
+ By default, the digest authentication scheme is not used unless a
+ program is specified.
- accel Accelerator mode. Also needs at least one of
- defaultsite or vhost.
+ If you want to use a digest authenticator, jump over to the
+ helpers/digest_auth/ directory and choose the authenticator to use.
+ It it's directory type
+ % make
+ % make install
- defaultsite= The name of the https site presented on
- this port. Implies accel.
+ Then, set this line to something like
- vhost Accelerator mode using Host header for virtual
- domain support. Requires a wildcard certificate
- or other certificate valid for more than one domain.
- Implies accel.
+ auth_param digest program @DEFAULT_PREFIX@/libexec/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
- urlgroup= Default urlgroup to mark requests with (see
- also acl urlgroup and url_rewrite_program).
+ "children" numberofchildren
+ The number of authenticator processes to spawn. If you start too few
+ squid will have to wait for them to process a backlog of credential
+ verifications, slowing it down. When credential verifications are
+ done via a (slow) network you are likely to need lots of
+ authenticator processes.
+ auth_param digest children 5
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to https.
+ "concurrency" numberofconcurrentrequests
+ The number of concurrent requests/channels the helper supports.
+ Changes the protocol used to include a channel number first on
+ the request/response line, allowing multiple requests to be sent
+ to the same helper in parallell without wating for the response.
+ Must not be set unless it's known the helper supports this.
- cert= Path to SSL certificate (PEM format).
+ "realm" realmstring
+ Specifies the realm name which is to be reported to the client for the
+ digest proxy authentication scheme (part of the text the user will see
+ when prompted their username and password).
+ auth_param digest realm Squid proxy-caching web server
- key= Path to SSL private key file (PEM format)
- if not specified, the certificate file is
- assumed to be a combined certificate and
- key file.
+ "nonce_garbage_interval" timeinterval
+ Specifies the interval that nonces that have been issued to clients are
+ checked for validity.
+ auth_param digest nonce_garbage_interval 5 minutes
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 2 SSLv2 only
- 3 SSLv3 only
- 4 TLSv1 only
+ "nonce_max_duration" timeinterval
+ Specifies the maximum length of time a given nonce will be valid for.
+ auth_param digest nonce_max_duration 30 minutes
- cipher= Colon separated list of supported ciphers.
+ "nonce_max_count" number
+ Specifies the maximum number of times a given nonce can be used.
+ auth_param digest nonce_max_count 50
- options= Various SSL engine options. The most important
- being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- SINGLE_DH_USE Always create a new key when using
- temporary/ephemeral DH key exchanges
- See src/ssl_support.c or OpenSSL SSL_CTX_set_options
- documentation for a complete list of options.
+ "nonce_strictness" on|off
+ Determines if squid requires strict increment-by-1 behavior for nonce
+ counts, or just incrementing (off - for use when useragents generate
+ nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
+ auth_param digest nonce_strictness off
- clientca= File containing the list of CAs to use when
- requesting a client certificate.
+ "check_nonce_count" on|off
+ This directive if set to off can disable the nonce count check
+ completely to work around buggy digest qop implementations in certain
+ mainstream browser versions. Default on to check the nonce count to
+ protect from authentication replay attacks.
+ auth_param digest check_nonce_count on
- cafile= File containing additional CA certificates to
- use when verifying client certificates. If unset
- clientca will be used.
+ "post_workaround" on|off
+ This is a workaround to certain buggy browsers who sends an incorrect
+ request digest in POST requests when reusing the same nonce as acquired
+ earlier in response to a GET request.
+ auth_param digest post_workaround off
- capath= Directory containing additional CA certificates
- and CRL lists to use when verifying client certificates.
+ === NTLM scheme options follow ===
- crlfile= File of additional CRL lists to use when verifying
- the client certificate, in addition to CRLs stored in
- the capath. Implies VERIFY_CRL flag below.
-
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges.
-
- sslflags= Various flags modifying the use of SSL:
- DELAYED_AUTH
- Don't request client certificates
- immediately, but wait until acl processing
- requires a certificate (not yet implemented).
- NO_DEFAULT_CA
- Don't use the default CA lists built in
- to OpenSSL.
- NO_SESSION_REUSE
- Don't allow for session reuse. Each connection
- will result in a new SSL session.
- VERIFY_CRL
- Verify CRL lists when accepting client
- certificates.
- VERIFY_CRL_ALL
- Verify CRL lists for all certificates in the
- client certificate chain.
+ "program" cmdline
+ Specify the command for the external NTLM authenticator. Such a
+ program participates in the NTLMSSP exchanges between Squid and the
+ client and reads commands according to the Squid NTLMSSP helper
+ protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
+ authenticator is ntlm_auth from Samba-3.X, but a number of other
+ ntlm authenticators is available.
- sslcontext= SSL session ID context identifier.
+ By default, the ntlm authentication scheme is not used unless a
+ program is specified.
- vport Accelerator with IP based virtual host support.
+ auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
- vport=NN As above, but uses specified port number rather
- than the https_port number. Implies accel.
+ "children" numberofchildren
+ The number of authenticator processes to spawn. If you start too few
+ squid will have to wait for them to process a backlog of credential
+ verifications, slowing it down. When credential verifications are
+ done via a (slow) network you are likely to need lots of
+ authenticator processes.
+ auth_param ntlm children 5
-DOC_END
+ "keep_alive" on|off
+ This option enables the use of keep-alive on the initial
+ authentication request. It has been reported some versions of MSIE
+ have problems if this is enabled, but performance will be increased
+ if enabled.
-COMMENT_START
- SSL OPTIONS
- -----------------------------------------------------------------------------
-COMMENT_END
+ auth_param ntlm keep_alive on
-NAME: ssl_unclean_shutdown
-IFDEF: USE_SSL
-TYPE: onoff
-DEFAULT: off
-LOC: Config.SSL.unclean_shutdown
-DOC_START
- Some browsers (especially MSIE) bugs out on SSL shutdown
- messages.
-DOC_END
+ === Negotiate scheme options follow ===
-NAME: ssl_engine
-IFDEF: USE_SSL
-TYPE: string
-LOC: Config.SSL.ssl_engine
-DEFAULT: none
-DOC_START
- The OpenSSL engine to use. You will need to set this if you
- would like to use hardware SSL acceleration for example.
-DOC_END
+ "program" cmdline
+ Specify the command for the external Negotiate authenticator. Such a
+ program participates in the SPNEGO exchanges between Squid and the
+ client and reads commands according to the Squid ntlmssp helper
+ protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
+ authenticator is ntlm_auth from Samba-4.X.
-NAME: sslproxy_client_certificate
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.cert
-TYPE: string
-DOC_START
- Client SSL Certificate to use when proxying https:// URLs
-DOC_END
+ By default, the Negotiate authentication scheme is not used unless a
+ program is specified.
-NAME: sslproxy_client_key
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.key
-TYPE: string
-DOC_START
- Client SSL Key to use when proxying https:// URLs
-DOC_END
+ auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
-NAME: sslproxy_version
-IFDEF: USE_SSL
-DEFAULT: 1
-LOC: Config.ssl_client.version
-TYPE: int
-DOC_START
- SSL version level to use when proxying https:// URLs
-DOC_END
+ "children" numberofchildren
+ The number of authenticator processes to spawn. If you start too few
+ squid will have to wait for them to process a backlog of credential
+ verifications, slowing it down. When credential verifications are
+ done via a (slow) network you are likely to need lots of
+ authenticator processes.
+ auth_param negotiate children 5
-NAME: sslproxy_options
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.options
-TYPE: string
-DOC_START
- SSL engine options to use when proxying https:// URLs
-DOC_END
+ "keep_alive" on|off
+ If you experience problems with PUT/POST requests when using the
+ Negotiate authentication scheme then you can try setting this to
+ off. This will cause Squid to forcibly close the connection on
+ the initial requests where the browser asks which schemes are
+ supported by the proxy.
-NAME: sslproxy_cipher
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.cipher
-TYPE: string
-DOC_START
- SSL cipher list to use when proxying https:// URLs
-DOC_END
+ auth_param negotiate keep_alive on
-NAME: sslproxy_cafile
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.cafile
-TYPE: string
-DOC_START
- file containing CA certificates to use when verifying server
- certificates while proxying https:// URLs
+NOCOMMENT_START
+#Recommended minimum configuration per scheme:
+#auth_param negotiate program
+#auth_param negotiate children 5
+#auth_param negotiate keep_alive on
+#auth_param ntlm program
+#auth_param ntlm children 5
+#auth_param ntlm keep_alive on
+#auth_param digest program
+#auth_param digest children 5
+#auth_param digest realm Squid proxy-caching web server
+#auth_param digest nonce_garbage_interval 5 minutes
+#auth_param digest nonce_max_duration 30 minutes
+#auth_param digest nonce_max_count 50
+#auth_param basic program
+#auth_param basic children 5
+#auth_param basic realm Squid proxy-caching web server
+#auth_param basic credentialsttl 2 hours
+#auth_param basic casesensitive off
+NOCOMMENT_END
DOC_END
-NAME: sslproxy_capath
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.capath
-TYPE: string
+NAME: authenticate_cache_garbage_interval
+TYPE: time_t
+DEFAULT: 1 hour
+LOC: Config.authenticateGCInterval
DOC_START
- directory containing CA certificates to use when verifying
- server certificates while proxying https:// URLs
+ The time period between garbage collection across the username cache.
+ This is a tradeoff between memory utilization (long intervals - say
+ 2 days) and CPU (short intervals - say 1 minute). Only change if you
+ have good reason to.
DOC_END
-NAME: sslproxy_flags
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.ssl_client.flags
-TYPE: string
+NAME: authenticate_ttl
+TYPE: time_t
+DEFAULT: 1 hour
+LOC: Config.authenticateTTL
DOC_START
- Various flags modifying the use of SSL while proxying https:// URLs:
- DONT_VERIFY_PEER Accept certificates even if they fail to
- verify.
- NO_DEFAULT_CA Don't use the default CA list built in
- to OpenSSL.
+ The time a user & their credentials stay in the logged in user cache
+ since their last request. When the garbage interval passes, all user
+ credentials that have passed their TTL are removed from memory.
DOC_END
-NAME: sslpassword_program
-IFDEF: USE_SSL
-DEFAULT: none
-LOC: Config.Program.ssl_password
-TYPE: string
+NAME: authenticate_ip_ttl
+TYPE: time_t
+LOC: Config.authenticateIpTTL
+DEFAULT: 0 seconds
DOC_START
- Specify a program used for entering SSL key passphrases
- when using encrypted SSL certificate keys. If not specified
- keys must either be unencrypted, or Squid started with the -N
- option to allow it to query interactively for the passphrase.
+ If you use proxy authentication and the 'max_user_ip' ACL, this
+ directive controls how long Squid remembers the IP addresses
+ associated with each user. Use a small value (e.g., 60 seconds) if
+ your users might change addresses quickly, as is the case with
+ dialups. You might be safe using a larger value (e.g., 2 hours) in a
+ corporate LAN environment with relatively static address assignments.
DOC_END
COMMENT_START
- OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
+ ACCESS CONTROLS
-----------------------------------------------------------------------------
COMMENT_END
-NAME: cache_peer
-TYPE: peer
+NAME: external_acl_type
+TYPE: externalAclHelper
+LOC: Config.externalAclHelperList
DEFAULT: none
-LOC: Config.peers
DOC_START
- To specify other caches in a hierarchy, use the format:
-
- cache_peer hostname type http-port icp-port [options]
+ This option defines external acl classes using a helper program to
+ look up the status
- For example,
+ external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
- # proxy icp
- # hostname type port port options
- # -------------------- -------- ----- ----- -----------
- cache_peer parent.foo.net parent 3128 3130 proxy-only default
- cache_peer sib1.foo.net sibling 3128 3130 proxy-only
- cache_peer sib2.foo.net sibling 3128 3130 proxy-only
+ Options:
- type: either 'parent', 'sibling', or 'multicast'.
+ ttl=n TTL in seconds for cached results (defaults to 3600
+ for 1 hour)
+ negative_ttl=n
+ TTL for cached negative lookups (default same
+ as ttl)
+ children=n number of processes spawn to service external acl
+ lookups of this type. (default 5).
+ concurrency=n concurrency level per process. Only used with helpers
+ capable of processing more than one query at a time.
+ Note: see compatibility note below
+ cache=n result cache size, 0 is unbounded (default)
+ grace= Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default 0 for no grace period)
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
- proxy-port: The port number where the cache listens for proxy
- requests.
+ FORMAT specifications
- icp-port: Used for querying neighbor caches about
- objects. To have a non-ICP neighbor
- specify '7' for the ICP port and make sure the
- neighbor machine has the UDP echo port
- enabled in its /etc/inetd.conf file.
- NOTE: Also requires icp_port option enabled to send/receive
- requests via this method.
+ %LOGIN Authenticated user login name
+ %EXT_USER Username from external acl
+ %IDENT Ident user name
+ %SRC Client IP
+ %SRCPORT Client source port
+ %DST Requested host
+ %PROTO Requested protocol
+ %PORT Requested port
+ %METHOD Request method
+ %MYADDR Squid interface address
+ %MYPORT Squid http_port number
+ %PATH Requested URL-path (including query-string if any)
+ %USER_CERT SSL User certificate in PEM format
+ %USER_CERTCHAIN SSL User certificate chain in PEM format
+ %USER_CERT_xx SSL User certificate subject attribute xx
+ %USER_CA_xx SSL User certificate issuer attribute xx
+ %{Header} HTTP request header
+ %{Hdr:member} HTTP request header list member
+ %{Hdr:;member}
+ HTTP request header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+ %ACL The ACL name
+ %DATA The ACL arguments. If not used then any arguments
+ is automatically added at the end
- options: proxy-only
- weight=n
- ttl=n
- no-query
- default
- round-robin
- carp
- multicast-responder
- closest-only
- no-digest
- no-netdb-exchange
- no-delay
- login=user:password | PASS | *:password
- connect-timeout=nn
- digest-url=url
- allow-miss
- max-conn=n
- htcp
- htcp-oldsquid
- originserver
- userhash
- sourcehash
- name=xxx
- monitorurl=url
- monitorsize=sizespec
- monitorinterval=seconds
- monitortimeout=seconds
- forceddomain=name
- ssl
- sslcert=/path/to/ssl/certificate
- sslkey=/path/to/ssl/key
- sslversion=1|2|3|4
- sslcipher=...
- ssloptions=...
- front-end-https[=on|auto]
- connection-auth[=on|off|auto]
+ In addition to the above, any string specified in the referencing
+ acl will also be included in the helper request line, after the
+ specified formats (see the "acl external" directive)
- use 'proxy-only' to specify objects fetched
- from this cache should not be saved locally.
+ The helper receives lines per the above format specification,
+ and returns lines starting with OK or ERR indicating the validity
+ of the request and optionally followed by additional keywords with
+ more details.
- use 'weight=n' to affect the selection of a peer
- during any weighted peer-selection mechanisms.
- The weight must be an integer; default is 1,
- larger weights are favored more.
- This option does not affect parent selection if a peering
- protocol is not in use.
+ General result syntax:
- use 'ttl=n' to specify a IP multicast TTL to use
- when sending an ICP queries to this address.
- Only useful when sending to a multicast group.
- Because we don't accept ICP replies from random
- hosts, you must configure other group members as
- peers with the 'multicast-responder' option below.
+ OK/ERR keyword=value ...
- use 'no-query' to NOT send ICP queries to this
- neighbor.
+ Defined keywords:
- use 'default' if this is a parent cache which can
- be used as a "last-resort" if a peer cannot be located
- by any of the peer-selection mechanisms.
- If specified more than once, only the first is used.
+ user= The users name (login also understood)
+ password= The users password (for PROXYPASS login= cache_peer)
+ message= Error message or similar used as %o in error messages
+ (error also understood)
+ log= String to be logged in access.log. Available as
+ %ea in logformat specifications
- use 'round-robin' to define a set of parents which
- should be used in a round-robin fashion in the
- absence of any ICP queries.
+ If protocol=3.0 (the default) then URL escaping is used to protect
+ each value in both requests and responses.
- use 'carp' to define a set of parents which should
- be used as a CARP array. The requests will be
- distributed among the parents based on the CARP load
- balancing hash function based on their weight.
+ If using protocol=2.5 then all values need to be enclosed in quotes
+ if they may contain whitespace, or the whitespace escaped using \.
+ And quotes or \ characters within the keyword value must be \ escaped.
- 'multicast-responder' indicates the named peer
- is a member of a multicast group. ICP queries will
- not be sent directly to the peer, but ICP replies
- will be accepted from it.
+ When using the concurrency= option the protocol is changed by
+ introducing a query channel tag infront of the request/response.
+ The query channel tag is a number between 0 and concurrency-1.
- 'closest-only' indicates that, for ICP_OP_MISS
- replies, we'll only forward CLOSEST_PARENT_MISSes
- and never FIRST_PARENT_MISSes.
+ Compatibility Note: The children= option was named concurrency= in
+ Squid-2.5.STABLE3 and earlier, and was accepted as an alias for the
+ duration of the Squid-2.5 releases to keep compatibility. However,
+ the meaning of concurrency= option has changed in Squid-2.6 to match
+ that of Squid-3 and the old syntax no longer works.
+DOC_END
- use 'no-digest' to NOT request cache digests from
- this neighbor.
+NAME: acl
+TYPE: acl
+LOC: Config.aclList
+DEFAULT: none
+DOC_START
+ Defining an Access List
- 'no-netdb-exchange' disables requesting ICMP
- RTT database (NetDB) from the neighbor.
+ acl aclname acltype string1 ...
+ acl aclname acltype "file" ...
- use 'no-delay' to prevent access to this neighbor
- from influencing the delay pools.
+ when using "file", the file should contain one item per line
- use 'login=user:password' if this is a personal/workgroup
- proxy and your parent requires proxy authentication.
- Note: The string can include URL escapes (i.e. %20 for
- spaces). This also means % must be written as %%.
+ acltype is one of the types described below
- use 'login=PASS' if users must authenticate against
- the upstream proxy or in the case of a reverse proxy
- configuration, the origin web server. This will pass
- the users credentials as they are to the peer.
- Note: To combine this with local authentication the Basic
- authentication scheme must be used, and both servers must
- share the same user database as HTTP only allows for
- a single login (one for proxy, one for origin server).
- Also be warned this will expose your users proxy
- password to the peer. USE WITH CAUTION
+ By default, regular expressions are CASE-SENSITIVE. To make
+ them case-insensitive, use the -i option.
- use 'login=*:password' to pass the username to the
- upstream cache, but with a fixed password. This is meant
- to be used when the peer is in another administrative
- domain, but it is still needed to identify each user.
- The star can optionally be followed by some extra
- information which is added to the username. This can
- be used to identify this proxy to the peer, similar to
- the login=username:password option above.
+ acl aclname src ip-address/netmask ... (clients IP address)
+ acl aclname src addr1-addr2/netmask ... (range of addresses)
+ acl aclname dst ip-address/netmask ... (URL host's IP address)
+ acl aclname myip ip-address/netmask ... (local socket IP address)
- use 'connect-timeout=nn' to specify a peer
- specific connect timeout (also see the
- peer_connect_timeout directive)
+ acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
+ # The arp ACL requires the special configure option --enable-arp-acl.
+ # Furthermore, the arp ACL code is not portable to all operating systems.
+ # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
+ #
+ # NOTE: Squid can only determine the MAC address for clients that are on
+ # the same subnet. If the client is on a different subnet, then Squid cannot
+ # find out its MAC address.
- use 'digest-url=url' to tell Squid to fetch the cache
- digest (if digests are enabled) for this host from
- the specified URL rather than the Squid default
- location.
+ acl aclname srcdomain .foo.com ... # reverse lookup, client IP
+ acl aclname dstdomain .foo.com ... # Destination server from URL
+ acl aclname srcdom_regex [-i] xxx ... # regex matching client name
+ acl aclname dstdom_regex [-i] xxx ... # regex matching server
+ # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+ # based URL is used and no match is found. The name "none" is used
+ # if the reverse lookup fails.
- use 'allow-miss' to disable Squid's use of only-if-cached
- when forwarding requests to siblings. This is primarily
- useful when icp_hit_stale is used by the sibling. To
- extensive use of this option may result in forwarding
- loops, and you should avoid having two-way peerings
- with this option. (for example to deny peer usage on
- requests from peer by denying cache_peer_access if the
- source is a peer)
+ acl aclname time [day-abbrevs] [h1:m1-h2:m2]
+ day-abbrevs:
+ S - Sunday
+ M - Monday
+ T - Tuesday
+ W - Wednesday
+ H - Thursday
+ F - Friday
+ A - Saturday
+ h1:m1 must be less than h2:m2
+ acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
+ acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+ acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
+ acl aclname port 80 70 21 ...
+ acl aclname port 0-1024 ... # ranges allowed
+ acl aclname myport 3128 ... # (local socket TCP port)
+ acl aclname proto HTTP FTP ...
+ acl aclname method GET POST ...
+ acl aclname browser [-i] regexp ...
+ # pattern match on User-Agent header (see also req_header below)
+ acl aclname referer_regex [-i] regexp ...
+ # pattern match on Referer header
+ # Referer is highly unreliable, so use with care
+ acl aclname ident username ...
+ acl aclname ident_regex [-i] pattern ...
+ # string match on ident output.
+ # use REQUIRED to accept any non-null ident.
+ acl aclname src_as number ...
+ acl aclname dst_as number ...
+ # Except for access control, AS numbers can be used for
+ # routing of requests to specific caches. Here's an
+ # example for routing all requests for AS#1241 and only
+ # those to mycache.mydomain.net:
+ # acl asexample dst_as 1241
+ # cache_peer_access mycache.mydomain.net allow asexample
+ # cache_peer_access mycache_mydomain.net deny all
- use 'max-conn=n' to limit the amount of connections Squid
- may open to this peer.
+ acl aclname proxy_auth [-i] username ...
+ acl aclname proxy_auth_regex [-i] pattern ...
+ # list of valid usernames
+ # use REQUIRED to accept any valid username.
+ #
+ # NOTE: when a Proxy-Authentication header is sent but it is not
+ # needed during ACL checking the username is NOT logged
+ # in access.log.
+ #
+ # NOTE: proxy_auth requires a EXTERNAL authentication program
+ # to check username/password combinations (see
+ # auth_param directive).
+ #
+ # NOTE: proxy_auth can't be used in a transparent proxy as
+ # the browser needs to be configured for using a proxy in order
+ # to respond to proxy authentication.
+
+ acl aclname snmp_community string ...
+ # A community string to limit access to your SNMP Agent
+ # Example:
+ #
+ # acl snmppublic snmp_community public
+
+ acl aclname maxconn number
+ # This will be matched when the client's IP address has
+ # more than HTTP connections established.
+
+ acl aclname max_user_ip [-s] number
+ # This will be matched when the user attempts to log in from more
+ # than different ip addresses. The authenticate_ip_ttl
+ # parameter controls the timeout on the ip entries.
+ # If -s is specified the limit is strict, denying browsing
+ # from any further IP addresses until the ttl has expired. Without
+ # -s Squid will just annoy the user by "randomly" denying requests.
+ # (the counter is reset each time the limit is reached and a
+ # request is denied)
+ # NOTE: in acceleration mode or where there is mesh of child proxies,
+ # clients may appear to come from multiple addresses if they are
+ # going through proxy farms, so a limit of 1 may cause user problems.
+
+ acl aclname req_mime_type mime-type1 ...
+ # regex match against the mime type of the request generated
+ # by the client. Can be used to detect file upload or some
+ # types HTTP tunneling requests.
+ # NOTE: This does NOT match the reply. You cannot use this
+ # to match the returned file type.
+
+ acl aclname req_header header-name [-i] any\.regex\.here
+ # regex match against any of the known request headers. May be
+ # thought of as a superset of "browser", "referer" and "mime-type"
+ # ACLs.
+
+ acl aclname rep_mime_type mime-type1 ...
+ # regex match against the mime type of the reply received by
+ # squid. Can be used to detect file download or some
+ # types HTTP tunneling requests.
+ # NOTE: This has no effect in http_access rules. It only has
+ # effect in rules that affect the reply data stream such as
+ # http_reply_access.
+
+ acl aclname rep_header header-name [-i] any\.regex\.here
+ # regex match against any of the known reply headers. May be
+ # thought of as a superset of "browser", "referer" and "mime-type"
+ # ACLs.
+ #
+ # Example:
+ #
+ # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
+
+ acl acl_name external class_name [arguments...]
+ # external ACL lookup via a helper class defined by the
+ # external_acl_type directive.
+
+ acl urlgroup group1 ...
+ # match against the urlgroup as indicated by redirectors
+
+ acl aclname user_cert attribute values...
+ # match against attributes in a user SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ca_cert attribute values...
+ # match against attributes a users issuing CA SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ext_user username ...
+ acl aclname ext_user_regex [-i] pattern ...
+ # string match on username returned by external acl helper
+ # use REQUIRED to accept any non-null user name.
+
+Examples:
+acl macaddress arp 09:00:2b:23:45:67
+acl myexample dst_as 1241
+acl password proxy_auth REQUIRED
+acl fileupload req_mime_type -i ^multipart/form-data$
+acl javascript rep_mime_type -i ^application/x-javascript$
+
+NOCOMMENT_START
+#Recommended minimum configuration:
+acl all src 0.0.0.0/0.0.0.0
+acl manager proto cache_object
+acl localhost src 127.0.0.1/255.255.255.255
+acl to_localhost dst 127.0.0.0/8
+acl SSL_ports port 443
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+NOCOMMENT_END
+DOC_END
+
+NAME: http_access
+TYPE: acl_access
+LOC: Config.accessList.http
+DEFAULT: none
+DEFAULT_IF_NONE: deny all
+DOC_START
+ Allowing or Denying access based on defined access lists
+
+ Access to the HTTP port:
+ http_access allow|deny [!]aclname ...
+
+ NOTE on default values:
+
+ If there are no "access" lines present, the default is to deny
+ the request.
+
+ If none of the "access" lines cause a match, the default is the
+ opposite of the last line in the list. If the last line was
+ deny, the default is allow. Conversely, if the last line
+ is allow, the default will be deny. For these reasons, it is a
+ good idea to have an "deny all" or "allow all" entry at the end
+ of your access lists to avoid potential confusion.
+
+NOCOMMENT_START
+#Recommended minimum configuration:
+#
+# Only allow cachemgr access from localhost
+http_access allow manager localhost
+http_access deny manager
+# Deny requests to unknown ports
+http_access deny !Safe_ports
+# Deny CONNECT to other than SSL ports
+http_access deny CONNECT !SSL_ports
+#
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+
+# Example rule allowing access from your local networks. Adapt
+# to list your (internal) IP networks from where browsing should
+# be allowed
+#acl our_networks src 192.168.1.0/24 192.168.2.0/24
+#http_access allow our_networks
- use 'htcp' to send HTCP, instead of ICP, queries
- to the neighbor. You probably also want to
- set the "icp port" to 4827 instead of 3130.
+# And finally deny all other access to this proxy
+http_access deny all
+NOCOMMENT_END
+DOC_END
- use 'htcp-oldsquid' to send HTCP to old Squid versions
+NAME: http_access2
+TYPE: acl_access
+LOC: Config.accessList.http2
+DEFAULT: none
+DOC_START
+ Allowing or Denying access based on defined access lists
- 'originserver' causes this parent peer to be contacted as
- a origin server. Meant to be used in accelerator setups.
+ Identical to http_access, but runs after redirectors. If not set
+ then only http_access is used.
+DOC_END
- use 'userhash' to load-balance amongst a set of parents
- based on the client proxy_auth or ident username.
+NAME: http_reply_access
+TYPE: acl_access
+LOC: Config.accessList.reply
+DEFAULT: none
+DEFAULT_IF_NONE: allow all
+DOC_START
+ Allow replies to client requests. This is complementary to http_access.
- use 'sourcehash' to load-balance amongst a set of parents
- based on the client source ip.
+ http_reply_access allow|deny [!] aclname ...
- use 'name=xxx' if you have multiple peers on the same
- host but different ports. This name can be used to
- differentiate the peers in cache_peer_access and similar
- directives.
+ NOTE: if there are no access lines present, the default is to allow
+ all replies
- use 'monitorurl=url' to have periodically request a given
- URL from the peer, and only consider the peer as alive
- if this monitoring is successful (default none)
+ If none of the access lines cause a match the opposite of the
+ last line will apply. Thus it is good practice to end the rules
+ with an "allow all" or "deny all" entry.
+DOC_END
- use 'monitorsize=min[-max]' to limit the size range of
- 'monitorurl' replies considered valid. Defaults to 0 to
- accept any size replies as valid.
+NAME: icp_access
+TYPE: acl_access
+LOC: Config.accessList.icp
+DEFAULT: none
+DEFAULT_IF_NONE: deny all
+DOC_START
+ Allowing or Denying access to the ICP port based on defined
+ access lists
- use 'monitorinterval=seconds' to change frequency of
- how often the peer is monitored with 'monitorurl'
- (default 300 for a 5 minute interval). If set to 0
- then monitoring is disabled even if a URL is defined.
+ icp_access allow|deny [!]aclname ...
- use 'monitortimeout=seconds' to change the timeout of
- 'monitorurl'. Defaults to 'monitorinterval'.
+ See http_access for details
- use 'forceddomain=name' to forcibly set the Host header
- of requests forwarded to this peer. Useful in accelerator
- setups where the server (peer) expects a certain domain
- name and using redirectors to feed this domain name
- is not feasible.
+NOCOMMENT_START
+#Allow ICP queries from everyone
+icp_access allow all
+NOCOMMENT_END
+DOC_END
- use 'ssl' to indicate connections to this peer should
- be SSL/TLS encrypted.
+NAME: htcp_access
+IFDEF: USE_HTCP
+TYPE: acl_access
+LOC: Config.accessList.htcp
+DEFAULT: none
+DEFAULT_IF_NONE: deny all
+DOC_START
+ Allowing or Denying access to the HTCP port based on defined
+ access lists
- use 'sslcert=/path/to/ssl/certificate' to specify a client
- SSL certificate to use when connecting to this peer.
+ htcp_access allow|deny [!]aclname ...
- use 'sslkey=/path/to/ssl/key' to specify the private SSL
- key corresponding to sslcert above. If 'sslkey' is not
- specified 'sslcert' is assumed to reference a
- combined file containing both the certificate and the key.
+ See http_access for details
- use sslversion=1|2|3|4 to specify the SSL version to use
- when connecting to this peer
- 1 = automatic (default)
- 2 = SSL v2 only
- 3 = SSL v3 only
- 4 = TLS v1 only
+#Allow HTCP queries from everyone
+htcp_access allow all
+DOC_END
- use sslcipher=... to specify the list of valid SSL ciphers
- to use when connecting to this peer.
+NAME: htcp_clr_access
+IFDEF: USE_HTCP
+TYPE: acl_access
+LOC: Config.accessList.htcp_clr
+DEFAULT: none
+DEFAULT_IF_NONE: deny all
+DOC_START
+ Allowing or Denying access to purge content using HTCP based
+ on defined access lists
- use ssloptions=... to specify various SSL engine options:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- See src/ssl_support.c or the OpenSSL documentation for
- a more complete list.
+ htcp_clr_access allow|deny [!]aclname ...
- use sslcafile=... to specify a file containing
- additional CA certificates to use when verifying the
- peer certificate.
+ See http_access for details
- use sslcapath=... to specify a directory containing
- additional CA certificates to use when verifying the
- peer certificate.
+#Allow HTCP CLR requests from trusted peers
+acl htcp_clr_peer src 172.16.1.2
+htcp_clr_access allow htcp_clr_peer
+DOC_END
- use sslcrlfile=... to specify a certificate revocation
- list file to use when verifying the peer certificate.
+NAME: miss_access
+TYPE: acl_access
+LOC: Config.accessList.miss
+DEFAULT: none
+DOC_START
+ Use to force your neighbors to use you as a sibling instead of
+ a parent. For example:
- use sslflags=... to specify various flags modifying the
- SSL implementation:
- DONT_VERIFY_PEER
- Accept certificates even if they fail to
- verify.
- NO_DEFAULT_CA
- Don't use the default CA list built in
- to OpenSSL.
+ acl localclients src 172.16.0.0/16
+ miss_access allow localclients
+ miss_access deny !localclients
- use ssldomain= to specify the peer name as advertised
- in it's certificate. Used for verifying the correctness
- of the received peer certificate. If not specified the
- peer hostname will be used.
+ This means only your local clients are allowed to fetch
+ MISSES and all other clients can only fetch HITS.
- use front-end-https to enable the "Front-End-Https: On"
- header needed when using Squid as a SSL frontend in front
- of Microsoft OWA. See MS KB document Q307347 for details
- on this header. If set to auto the header will
- only be added if the request is forwarded as a https://
- URL.
+ By default, allow all clients who passed the http_access rules
+ to fetch MISSES from us.
- use connection-auth=off to tell Squid that this peer does
- not support Microsoft connection oriented authentication,
- and any such challenges received from there should be
- ignored. Default is auto to automatically determine the
- status of the peer.
+NOCOMMENT_START
+#Default setting:
+# miss_access allow all
+NOCOMMENT_END
DOC_END
-NAME: cache_peer_domain cache_host_domain
-TYPE: hostdomain
+NAME: ident_lookup_access
+TYPE: acl_access
+IFDEF: USE_IDENT
DEFAULT: none
-LOC: none
+DEFAULT_IF_NONE: deny all
+LOC: Config.accessList.identLookup
DOC_START
- Use to limit the domains for which a neighbor cache will be
- queried. Usage:
+ A list of ACL elements which, if matched, cause an ident
+ (RFC931) lookup to be performed for this request. For
+ example, you might choose to always perform ident lookups
+ for your main multi-user Unix boxes, but not for your Macs
+ and PCs. By default, ident lookups are not performed for
+ any requests.
- cache_peer_domain cache-host domain [domain ...]
- cache_peer_domain cache-host !domain
+ To enable ident lookups for specific client addresses, you
+ can follow this example:
- For example, specifying
+ acl ident_aware_hosts src 198.168.1.0/255.255.255.0
+ ident_lookup_access allow ident_aware_hosts
+ ident_lookup_access deny all
- cache_peer_domain parent.foo.net .edu
+ Only src type ACL checks are fully supported. A src_domain
+ ACL might work at times, but it will not always provide
+ the correct result.
+DOC_END
- has the effect such that UDP query packets are sent to
- 'bigserver' only when the requested object exists on a
- server in the .edu domain. Prefixing the domain name
- with '!' means the cache will be queried for objects
- NOT in that domain.
+NAME: reply_header_max_size
+COMMENT: (KB)
+TYPE: b_size_t
+DEFAULT: 20 KB
+LOC: Config.maxReplyHeaderSize
+DOC_START
+ This specifies the maximum size for HTTP headers in a reply.
+ Reply headers are usually relatively small (about 512 bytes).
+ Placing a limit on the reply header size will catch certain
+ bugs (for example with persistent connections) and possibly
+ buffer-overflow or denial-of-service attacks.
+DOC_END
- NOTE: * Any number of domains may be given for a cache-host,
- either on the same or separate lines.
- * When multiple domains are given for a particular
- cache-host, the first matched domain is applied.
- * Cache hosts with no domain restrictions are queried
- for all requests.
- * There are no defaults.
- * There is also a 'cache_peer_access' tag in the ACL
- section.
+NAME: reply_body_max_size
+COMMENT: bytes allow|deny acl acl...
+TYPE: body_size_t
+DEFAULT: none
+DEFAULT_IF_NONE: 0 allow all
+LOC: Config.ReplyBodySize
+DOC_START
+ This option specifies the maximum size of a reply body in bytes.
+ It can be used to prevent users from downloading very large files,
+ such as MP3's and movies. When the reply headers are received,
+ the reply_body_max_size lines are processed, and the first line with
+ a result of "allow" is used as the maximum body size for this reply.
+ This size is checked twice. First when we get the reply headers,
+ we check the content-length value. If the content length value exists
+ and is larger than the allowed size, the request is denied and the
+ user receives an error message that says "the request or reply
+ is too large." If there is no content-length, and the reply
+ size exceeds this limit, the client's connection is just closed
+ and they will receive a partial reply.
+
+ WARNING: downstream caches probably can not detect a partial reply
+ if there is no content-length header, so they will cache
+ partial responses and give them out as hits. You should NOT
+ use this option if you have downstream caches.
+
+ If you set this parameter to zero (the default), there will be
+ no limit imposed.
DOC_END
-NAME: neighbor_type_domain
-TYPE: hostdomaintype
+COMMENT_START
+ OPTIONS FOR X-Forwarded-For
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: follow_x_forwarded_for
+TYPE: acl_access
+IFDEF: FOLLOW_X_FORWARDED_FOR
+LOC: Config.accessList.followXFF
DEFAULT: none
-LOC: none
+DEFAULT_IF_NONE: deny all
DOC_START
- usage: neighbor_type_domain neighbor parent|sibling domain domain ...
+ Allowing or Denying the X-Forwarded-For header to be followed to
+ find the original source of a request.
- Modifying the neighbor type for specific domains is now
- possible. You can treat some domains differently than the the
- default neighbor type specified on the 'cache_peer' line.
- Normally it should only be necessary to list domains which
- should be treated differently because the default neighbor type
- applies for hostnames which do not match domains listed here.
+ Requests may pass through a chain of several other proxies
+ before reaching us. The X-Forwarded-For header will contain a
+ comma-separated list of the IP addresses in the chain, with the
+ rightmost address being the most recent.
-EXAMPLE:
- cache_peer parent cache.foo.org 3128 3130
- neighbor_type_domain cache.foo.org sibling .com .net
- neighbor_type_domain cache.foo.org sibling .au .de
-DOC_END
+ If a request reaches us from a source that is allowed by this
+ configuration item, then we consult the X-Forwarded-For header
+ to see where that host received the request from. If the
+ X-Forwarded-For header contains multiple addresses, and if
+ acl_uses_indirect_client is on, then we continue backtracking
+ until we reach an address for which we are not allowed to
+ follow the X-Forwarded-For header, or until we reach the first
+ address in the list. (If acl_uses_indirect_client is off, then
+ it's impossible to backtrack through more than one level of
+ X-Forwarded-For addresses.)
-NAME: dead_peer_timeout
-COMMENT: (seconds)
-DEFAULT: 10 seconds
-TYPE: time_t
-LOC: Config.Timeout.deadPeer
-DOC_START
- This controls how long Squid waits to declare a peer cache
- as "dead." If there are no ICP replies received in this
- amount of time, Squid will declare the peer dead and not
- expect to receive any further ICP replies. However, it
- continues to send ICP queries, and will mark the peer as
- alive upon receipt of the first subsequent ICP reply.
+ The end result of this process is an IP address that we will
+ refer to as the indirect client address. This address may
+ be treated as the client address for access control, delay
+ pools and logging, depending on the acl_uses_indirect_client,
+ delay_pool_uses_indirect_client and log_uses_indirect_client
+ options.
- This timeout also affects when Squid expects to receive ICP
- replies from peers. If more than 'dead_peer' seconds have
- passed since the last ICP reply was received, Squid will not
- expect to receive an ICP reply on the next query. Thus, if
- your time between requests is greater than this timeout, you
- will see a lot of requests sent DIRECT to origin servers
- instead of to your parents.
+ SECURITY CONSIDERATIONS:
+
+ Any host for which we follow the X-Forwarded-For header
+ can place incorrect information in the header, and Squid
+ will use the incorrect information as if it were the
+ source address of the request. This may enable remote
+ hosts to bypass any access control restrictions that are
+ based on the client's source addresses.
+
+ For example:
+
+ acl localhost src 127.0.0.1
+ acl my_other_proxy srcdomain .proxy.example.com
+ follow_x_forwarded_for allow localhost
+ follow_x_forwarded_for allow my_other_proxy
DOC_END
-NAME: hierarchy_stoplist
-TYPE: wordlist
-DEFAULT: none
-LOC: Config.hierarchy_stoplist
+NAME: acl_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Config.onoff.acl_uses_indirect_client
DOC_START
- A list of words which, if found in a URL, cause the object to
- be handled directly by this cache. In other words, use this
- to not query neighbor caches for certain objects. You may
- list this option multiple times. Note: never_direct overrides
- this option.
-NOCOMMENT_START
-#We recommend you to use at least the following line.
-hierarchy_stoplist cgi-bin ?
-NOCOMMENT_END
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in acl matching.
DOC_END
-NAME: cache no_cache
-TYPE: acl_access
-DEFAULT: none
-LOC: Config.accessList.noCache
+NAME: delay_pool_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS
+DEFAULT: on
+LOC: Config.onoff.delay_pool_uses_indirect_client
DOC_START
- A list of ACL elements which, if matched, cause the request to
- not be satisfied from the cache and the reply to not be cached.
- In other words, use this to force certain objects to never be cached.
-
- You must use the word 'DENY' to indicate the ACL names which should
- NOT be cached.
-
- Default is to allow all to be cached
-NOCOMMENT_START
-#We recommend you to use the following two lines.
-acl QUERY urlpath_regex cgi-bin \?
-cache deny QUERY
-NOCOMMENT_END
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in delay pools.
DOC_END
-NAME: wais_relay_host
-TYPE: string
-DEFAULT: none
-LOC: Config.Wais.relayHost
-DOC_NONE
-
-NAME: wais_relay_port
-TYPE: ushort
-DEFAULT: 0
-LOC: Config.Wais.relayPort
+NAME: log_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Config.onoff.log_uses_indirect_client
DOC_START
- Relay WAIS request to host (1st arg) at port (2 arg).
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in the access log.
DOC_END
COMMENT_START
- MEMORY CACHE OPTIONS
+ NETWORK OPTIONS
-----------------------------------------------------------------------------
COMMENT_END
-NAME: cache_mem
-COMMENT: (bytes)
-TYPE: b_size_t
-DEFAULT: 8 MB
-LOC: Config.memMaxSize
+NAME: http_port ascii_port
+TYPE: http_port_list
+DEFAULT: none
+LOC: Config.Sockaddr.http
DOC_START
- NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
- IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
- USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
- THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
+ Usage: port [options]
+ hostname:port [options]
+ 1.2.3.4:port [options]
- 'cache_mem' specifies the ideal amount of memory to be used
- for:
- * In-Transit objects
- * Hot Objects
- * Negative-Cached objects
+ The socket addresses where Squid will listen for HTTP client
+ requests. You may specify multiple socket addresses.
+ There are three forms: port alone, hostname with port, and
+ IP address with port. If you specify a hostname or IP
+ address, Squid binds the socket to that specific
+ address. This replaces the old 'tcp_incoming_address'
+ option. Most likely, you do not need to bind to a specific
+ address, so you can use the port number alone.
- Data for these objects are stored in 4 KB blocks. This
- parameter specifies the ideal upper limit on the total size of
- 4 KB blocks allocated. In-Transit objects take the highest
- priority.
+ If you are running Squid in accelerator mode, you
+ probably want to listen on port 80 also, or instead.
- In-transit objects have priority over the others. When
- additional space is needed for incoming data, negative-cached
- and hot objects will be released. In other words, the
- negative-cached and hot objects will fill up any unused space
- not needed for in-transit objects.
+ You may specify multiple socket addresses on multiple lines.
- If circumstances require, this limit will be exceeded.
- Specifically, if your incoming request rate requires more than
- 'cache_mem' of memory to hold in-transit objects, Squid will
- exceed this limit to satisfy the new requests. When the load
- decreases, blocks will be freed until the high-water mark is
- reached. Thereafter, blocks will be used to store hot
- objects.
-DOC_END
+ Options:
-NAME: maximum_object_size_in_memory
-COMMENT: (bytes)
-TYPE: b_size_t
-DEFAULT: 8 KB
-LOC: Config.Store.maxInMemObjSize
-DOC_START
- Objects greater than this size will not be attempted to kept in
- the memory cache. This should be set high enough to keep objects
- accessed frequently in memory to improve performance whilst low
- enough to keep larger objects from hoarding cache_mem.
-DOC_END
+ transparent Support for transparent interception of
+ outgoing requests without browser settings.
-NAME: memory_replacement_policy
-TYPE: removalpolicy
-LOC: Config.memPolicy
-DEFAULT: lru
-DOC_START
- The memory replacement policy parameter determines which
- objects are purged from memory when memory space is needed.
+ tproxy Support Linux TPROXY for spoofing outgoing
+ connections using the client IP address.
- See cache_replacement_policy for details.
+ accel Accelerator mode. Also needs at least one
+ of vhost/vport/defaultsite.
+
+ defaultsite=domainname
+ What to use for the Host: header if it is not present
+ in a request. Determines what site (not origin server)
+ accelerators should consider the default.
+ Implies accel.
+
+ vhost Accelerator mode using Host header for virtual
+ domain support. Implies accel.
+
+ vport Accelerator with IP based virtual host support.
+ Implies accel.
+
+ vport=NN As above, but uses specified port number rather
+ than the http_port number. Implies accel.
+
+ urlgroup= Default urlgroup to mark requests with (see
+ also acl urlgroup and url_rewrite_program)
+
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http.
+
+ no-connection-auth
+ Prevent forwarding of Microsoft connection oriented
+ authentication (NTLM, Negotiate and Kerberos)
+
+ If you run Squid on a dual-homed machine with an internal
+ and an external interface we recommend you to specify the
+ internal address:port in http_port. This way Squid will only be
+ visible on the internal address.
+
+NOCOMMENT_START
+# Squid normally listens to port 3128
+http_port @DEFAULT_HTTP_PORT@
+NOCOMMENT_END
DOC_END
-COMMENT_START
- DISK CACHE OPTIONS
- -----------------------------------------------------------------------------
-COMMENT_END
-
-NAME: cache_dir
-TYPE: cachedir
+NAME: https_port
+IFDEF: USE_SSL
+TYPE: https_port_list
DEFAULT: none
-DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
-LOC: Config.cacheSwap
+LOC: Config.Sockaddr.https
DOC_START
- Usage:
+ Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
- cache_dir Type Directory-Name Fs-specific-data [options]
+ The socket address where Squid will listen for HTTPS client
+ requests.
- You can specify multiple cache_dir lines to spread the
- cache among different disk partitions.
+ This is really only useful for situations where you are running
+ squid in accelerator mode and you want to do the SSL work at the
+ accelerator level.
- Type specifies the kind of storage system to use. Only "ufs"
- is built by default. To enable any of the other storage systems
- see the --enable-storeio configure option.
+ You may specify multiple socket addresses on multiple lines,
+ each with their own SSL certificate and/or options.
- 'Directory' is a top-level directory where cache swap
- files will be stored. If you want to use an entire disk
- for caching, this can be the mount-point directory.
- The directory must exist and be writable by the Squid
- process. Squid will NOT create this directory for you.
- Only using COSS, a raw disk device or a stripe file can
- be specified, but the configuration of the "cache_swap_log"
- tag is mandatory.
+ Options:
- The ufs store type:
+ accel Accelerator mode. Also needs at least one of
+ defaultsite or vhost.
- "ufs" is the old well-known Squid storage format that has always
- been there.
+ defaultsite= The name of the https site presented on
+ this port. Implies accel.
- cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+ vhost Accelerator mode using Host header for virtual
+ domain support. Requires a wildcard certificate
+ or other certificate valid for more than one domain.
+ Implies accel.
- 'Mbytes' is the amount of disk space (MB) to use under this
- directory. The default is 100 MB. Change this to suit your
- configuration. Do NOT put the size of your disk drive here.
- Instead, if you want Squid to use the entire disk drive,
- subtract 20% and use that value.
+ urlgroup= Default urlgroup to mark requests with (see
+ also acl urlgroup and url_rewrite_program).
- 'Level-1' is the number of first-level subdirectories which
- will be created under the 'Directory'. The default is 16.
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to https.
- 'Level-2' is the number of second-level subdirectories which
- will be created under each first-level directory. The default
- is 256.
+ cert= Path to SSL certificate (PEM format).
- The aufs store type:
+ key= Path to SSL private key file (PEM format)
+ if not specified, the certificate file is
+ assumed to be a combined certificate and
+ key file.
- "aufs" uses the same storage format as "ufs", utilizing
- POSIX-threads to avoid blocking the main Squid process on
- disk-I/O. This was formerly known in Squid as async-io.
+ version= The version of SSL/TLS supported
+ 1 automatic (default)
+ 2 SSLv2 only
+ 3 SSLv3 only
+ 4 TLSv1 only
- cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+ cipher= Colon separated list of supported ciphers.
- see argument descriptions under ufs above
+ options= Various SSL engine options. The most important
+ being:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ SINGLE_DH_USE Always create a new key when using
+ temporary/ephemeral DH key exchanges
+ See src/ssl_support.c or OpenSSL SSL_CTX_set_options
+ documentation for a complete list of options.
- The diskd store type:
+ clientca= File containing the list of CAs to use when
+ requesting a client certificate.
- "diskd" uses the same storage format as "ufs", utilizing a
- separate process to avoid blocking the main Squid process on
- disk-I/O.
+ cafile= File containing additional CA certificates to
+ use when verifying client certificates. If unset
+ clientca will be used.
- cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+ capath= Directory containing additional CA certificates
+ and CRL lists to use when verifying client certificates.
- see argument descriptions under ufs above
+ crlfile= File of additional CRL lists to use when verifying
+ the client certificate, in addition to CRLs stored in
+ the capath. Implies VERIFY_CRL flag below.
- Q1 specifies the number of unacknowledged I/O requests when Squid
- stops opening new files. If this many messages are in the queues,
- Squid won't open new files. Default is 64
+ dhparams= File containing DH parameters for temporary/ephemeral
+ DH key exchanges.
- Q2 specifies the number of unacknowledged messages when Squid
- starts blocking. If this many messages are in the queues,
- Squid blocks until it receives some replies. Default is 72
+ sslflags= Various flags modifying the use of SSL:
+ DELAYED_AUTH
+ Don't request client certificates
+ immediately, but wait until acl processing
+ requires a certificate (not yet implemented).
+ NO_DEFAULT_CA
+ Don't use the default CA lists built in
+ to OpenSSL.
+ NO_SESSION_REUSE
+ Don't allow for session reuse. Each connection
+ will result in a new SSL session.
+ VERIFY_CRL
+ Verify CRL lists when accepting client
+ certificates.
+ VERIFY_CRL_ALL
+ Verify CRL lists for all certificates in the
+ client certificate chain.
- When Q1 < Q2 (the default), the cache directory is optimized
- for lower response time at the expense of a decrease in hit
- ratio. If Q1 > Q2, the cache directory is optimized for
- higher hit ratio at the expense of an increase in response
- time.
+ sslcontext= SSL session ID context identifier.
- The coss store type:
+ vport Accelerator with IP based virtual host support.
- block-size=n defines the "block size" for COSS cache_dir's.
- Squid uses file numbers as block numbers. Since file numbers
- are limited to 24 bits, the block size determines the maximum
- size of the COSS partition. The default is 512 bytes, which
- leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
- you should not change the COSS block size after Squid
- has written some objects to the cache_dir.
+ vport=NN As above, but uses specified port number rather
+ than the https_port number. Implies accel.
- overwrite-percent=n defines the percentage of disk that COSS
- must write to before a given object will be moved to the
- current stripe. A value of "n" closer to 100 will cause COSS
- to waste less disk space by having multiple copies of an object
- on disk, but will increase the chances of overwriting a popular
- object as COSS overwrites stripes. A value of "n" close to 0
- will cause COSS to keep all current objects in the current COSS
- stripe at the expense of the hit rate. The default value of 50
- will allow any given object to be stored on disk a maximum of
- 2 times.
+DOC_END
- max-stripe-waste=n defines the maximum amount of space that COSS
- will waste in a given stripe (in bytes). When COSS writes data
- to disk, it will potentially waste up to "max-size" worth of disk
- space for each 1MB of data written. If "max-size" is set to a
- large value (ie >256k), this could potentially result in large
- amounts of wasted disk space. Setting this value to a lower value
- (ie 64k or 32k) will result in a COSS disk refusing to cache
- larger objects until the COSS stripe has been filled to within
- "max-stripe-waste" of the maximum size (1MB).
+NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
+TYPE: acl_tos
+DEFAULT: none
+LOC: Config.accessList.outgoing_tos
+DOC_START
+ Allows you to select a TOS/Diffserv value to mark outgoing
+ connections with, based on the username or source address
+ making the request.
- membufs=n defines the number of "memory-only" stripes that COSS
- will use. When an cache hit is performed on a COSS stripe before
- COSS has reached the overwrite-percent value for that object,
- COSS will use a series of memory buffers to hold the object in
- while the data is sent to the client. This will define the maximum
- number of memory-only buffers that COSS will use. The default value
- is 10, which will use a maximum of 10MB of memory for buffers.
+ tcp_outgoing_tos ds-field [!]aclname ...
- maxfullbufs=n defines the maximum number of stripes a COSS partition
- will have in memory waiting to be freed (either because the disk is
- under load and the stripe is unwritten, or because clients are still
- transferring data from objects using the memory). In order to try
- and maintain a good hit rate under load, COSS will reserve the last
- 2 full stripes for object hits. (ie a COSS cache_dir will reject
- new objects when the number of full stripes is 2 less than maxfullbufs)
+ Example where normal_service_net uses the TOS value 0x00
+ and normal_service_net uses 0x20
- The null store type:
+ acl normal_service_net src 10.0.0.0/255.255.255.0
+ acl good_service_net src 10.0.1.0/255.255.255.0
+ tcp_outgoing_tos 0x00 normal_service_net 0x00
+ tcp_outgoing_tos 0x20 good_service_net
- no options are allowed or required
+ TOS/DSCP values really only have local significance - so you should
+ know what you're specifying. For more information, see RFC2474 and
+ RFC3260.
- Common options:
+ The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
+ "default" to use whatever default your host has. Note that in
+ practice often only values 0 - 63 is usable as the two highest bits
+ have been redefined for use by ECN (RFC3168).
- read-only, no new objects should be stored to this cache_dir
+ Processing proceeds in the order specified, and stops at first fully
+ matching line.
- min-size=n, refers to the min object size this storedir will accept.
- It's used to restrict a storedir to only store large objects
- (e.g. aufs) while other storedirs are optimized for smaller objects
- (e.g. COSS). Defaults to 0.
+ Note: The use of this directive using client dependent ACLs is
+ incompatible with the use of server side persistent connections. To
+ ensure correct results it is best to set server_persisten_connections
+ to off when using this directive in such configurations.
+DOC_END
- max-size=n, refers to the max object size this storedir supports.
- It is used to initially choose the storedir to dump the object.
- Note: To make optimal use of the max-size limits you should order
- the cache_dir lines with the smallest max-size value first and the
- ones with no max-size specification last.
+NAME: tcp_outgoing_address
+TYPE: acl_address
+DEFAULT: none
+LOC: Config.accessList.outgoing_address
+DOC_START
+ Allows you to map requests to different outgoing IP addresses
+ based on the username or source address of the user making
+ the request.
+
+ tcp_outgoing_address ipaddr [[!]aclname] ...
+
+ Example where requests from 10.0.0.0/24 will be forwarded
+ with source address 10.1.0.1, 10.0.2.0/24 forwarded with
+ source address 10.1.0.2 and the rest will be forwarded with
+ source address 10.1.0.3.
+
+ acl normal_service_net src 10.0.0.0/255.255.255.0
+ acl good_service_net src 10.0.1.0/255.255.255.0
+ tcp_outgoing_address 10.0.0.1 normal_service_net
+ tcp_outgoing_address 10.0.0.2 good_service_net
+ tcp_outgoing_address 10.0.0.3
+
+ Processing proceeds in the order specified, and stops at first fully
+ matching line.
+
+ Note: The use of this directive using client dependent ACLs is
+ incompatible with the use of server side persistent connections. To
+ ensure correct results it is best to set server_persistent_connections
+ to off when using this directive in such configurations.
+DOC_END
+
+COMMENT_START
+ SSL OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
- Note that for coss, max-size must be less than COSS_MEMBUF_SZ
- (hard coded at 1 MB).
+NAME: ssl_unclean_shutdown
+IFDEF: USE_SSL
+TYPE: onoff
+DEFAULT: off
+LOC: Config.SSL.unclean_shutdown
+DOC_START
+ Some browsers (especially MSIE) bugs out on SSL shutdown
+ messages.
DOC_END
-NAME: store_dir_select_algorithm
+NAME: ssl_engine
+IFDEF: USE_SSL
TYPE: string
-LOC: Config.store_dir_select_algorithm
-DEFAULT: least-load
+LOC: Config.SSL.ssl_engine
+DEFAULT: none
DOC_START
- Set this to 'round-robin' as an alternative.
+ The OpenSSL engine to use. You will need to set this if you
+ would like to use hardware SSL acceleration for example.
DOC_END
-NAME: max_open_disk_fds
-TYPE: int
-LOC: Config.max_open_disk_fds
-DEFAULT: 0
+NAME: sslproxy_client_certificate
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.cert
+TYPE: string
DOC_START
- To avoid having disk as the I/O bottleneck Squid can optionally
- bypass the on-disk cache if more than this amount of disk file
- descriptors are open.
-
- A value of 0 indicates no limit.
+ Client SSL Certificate to use when proxying https:// URLs
DOC_END
-NAME: cache_replacement_policy
-TYPE: removalpolicy
-LOC: Config.replPolicy
-DEFAULT: lru
+NAME: sslproxy_client_key
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.key
+TYPE: string
DOC_START
- The cache replacement policy parameter determines which
- objects are evicted (replaced) when disk space is needed.
-
- lru : Squid's original list based LRU policy
- heap GDSF : Greedy-Dual Size Frequency
- heap LFUDA: Least Frequently Used with Dynamic Aging
- heap LRU : LRU policy implemented using a heap
-
- Applies to any cache_dir lines listed below this.
-
- The LRU policies keeps recently referenced objects.
-
- The heap GDSF policy optimizes object hit rate by keeping smaller
- popular objects in cache so it has a better chance of getting a
- hit. It achieves a lower byte hit rate than LFUDA though since
- it evicts larger (possibly popular) objects.
-
- The heap LFUDA policy keeps popular objects in cache regardless of
- their size and thus optimizes byte hit rate at the expense of
- hit rate since one large, popular object will prevent many
- smaller, slightly less popular objects from being cached.
-
- Both policies utilize a dynamic aging mechanism that prevents
- cache pollution that can otherwise occur with frequency-based
- replacement policies.
-
- NOTE: if using the LFUDA replacement policy you should increase
- the value of maximum_object_size above its default of 4096 KB to
- to maximize the potential byte hit rate improvement of LFUDA.
-
- For more information about the GDSF and LFUDA cache replacement
- policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
- and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+ Client SSL Key to use when proxying https:// URLs
DOC_END
-NAME: minimum_object_size
-COMMENT: (bytes)
-TYPE: b_size_t
-DEFAULT: 0 KB
-LOC: Config.Store.minObjectSize
+NAME: sslproxy_version
+IFDEF: USE_SSL
+DEFAULT: 1
+LOC: Config.ssl_client.version
+TYPE: int
DOC_START
- Objects smaller than this size will NOT be saved on disk. The
- value is specified in kilobytes, and the default is 0 KB, which
- means there is no minimum.
+ SSL version level to use when proxying https:// URLs
DOC_END
-NAME: maximum_object_size
-COMMENT: (bytes)
-TYPE: b_size_t
-DEFAULT: 4096 KB
-LOC: Config.Store.maxObjectSize
+NAME: sslproxy_options
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.options
+TYPE: string
DOC_START
- Objects larger than this size will NOT be saved on disk. The
- value is specified in kilobytes, and the default is 4MB. If
- you wish to get a high BYTES hit ratio, you should probably
- increase this (one 32 MB object hit counts for 3200 10KB
- hits). If you wish to increase speed more than your want to
- save bandwidth you should leave this low.
+ SSL engine options to use when proxying https:// URLs
+DOC_END
- NOTE: if using the LFUDA replacement policy you should increase
- this value to maximize the byte hit rate improvement of LFUDA!
- See replacement_policy below for a discussion of this policy.
+NAME: sslproxy_cipher
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.cipher
+TYPE: string
+DOC_START
+ SSL cipher list to use when proxying https:// URLs
DOC_END
-NAME: cache_swap_low
-COMMENT: (percent, 0-100)
-TYPE: int
-DEFAULT: 90
-LOC: Config.Swap.lowWaterMark
-DOC_NONE
+NAME: sslproxy_cafile
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.cafile
+TYPE: string
+DOC_START
+ file containing CA certificates to use when verifying server
+ certificates while proxying https:// URLs
+DOC_END
-NAME: cache_swap_high
-COMMENT: (percent, 0-100)
-TYPE: int
-DEFAULT: 95
-LOC: Config.Swap.highWaterMark
+NAME: sslproxy_capath
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.capath
+TYPE: string
DOC_START
+ directory containing CA certificates to use when verifying
+ server certificates while proxying https:// URLs
+DOC_END
- The low- and high-water marks for cache object replacement.
- Replacement begins when the swap (disk) usage is above the
- low-water mark and attempts to maintain utilization near the
- low-water mark. As swap utilization gets close to high-water
- mark object eviction becomes more aggressive. If utilization is
- close to the low-water mark less replacement is done each time.
+NAME: sslproxy_flags
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.ssl_client.flags
+TYPE: string
+DOC_START
+ Various flags modifying the use of SSL while proxying https:// URLs:
+ DONT_VERIFY_PEER Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA Don't use the default CA list built in
+ to OpenSSL.
+DOC_END
- Defaults are 90% and 95%. If you have a large cache, 5% could be
- hundreds of MB. If this is the case you may wish to set these
- numbers closer together.
+NAME: sslpassword_program
+IFDEF: USE_SSL
+DEFAULT: none
+LOC: Config.Program.ssl_password
+TYPE: string
+DOC_START
+ Specify a program used for entering SSL key passphrases
+ when using encrypted SSL certificate keys. If not specified
+ keys must either be unencrypted, or Squid started with the -N
+ option to allow it to query interactively for the passphrase.
DOC_END
COMMENT_START
- LOGFILE OPTIONS
+ OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
-----------------------------------------------------------------------------
COMMENT_END
-NAME: logformat
-TYPE: logformat
-LOC: Config.Log.logformats
+NAME: cache_peer
+TYPE: peer
DEFAULT: none
+LOC: Config.peers
DOC_START
- Usage:
-
- logformat
+ To specify other caches in a hierarchy, use the format:
- Defines an access log format.
+ cache_peer hostname type http-port icp-port [options]
- The is a string with embedded % format codes
+ For example,
- % format codes all follow the same basic structure where all but
- the formatcode is optional. Output strings are automatically escaped
- as required according to their context and the output format
- modifiers are usually not needed, but can be specified if an explicit
- output format is desired.
+ # proxy icp
+ # hostname type port port options
+ # -------------------- -------- ----- ----- -----------
+ cache_peer parent.foo.net parent 3128 3130 proxy-only default
+ cache_peer sib1.foo.net sibling 3128 3130 proxy-only
+ cache_peer sib2.foo.net sibling 3128 3130 proxy-only
- % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
+ type: either 'parent', 'sibling', or 'multicast'.
- " output in quoted string format
- [ output in squid text log format as used by log_mime_hdrs
- # output in URL quoted format
- ' output as-is
+ proxy-port: The port number where the cache listens for proxy
+ requests.
- - left aligned
- width field width. If starting with 0 the
- output is zero padded
- {arg} argument such as header name etc
+ icp-port: Used for querying neighbor caches about
+ objects. To have a non-ICP neighbor
+ specify '7' for the ICP port and make sure the
+ neighbor machine has the UDP echo port
+ enabled in its /etc/inetd.conf file.
+ NOTE: Also requires icp_port option enabled to send/receive
+ requests via this method.
- Format codes:
+ options: proxy-only
+ weight=n
+ ttl=n
+ no-query
+ default
+ round-robin
+ carp
+ multicast-responder
+ closest-only
+ no-digest
+ no-netdb-exchange
+ no-delay
+ login=user:password | PASS | *:password
+ connect-timeout=nn
+ digest-url=url
+ allow-miss
+ max-conn=n
+ htcp
+ htcp-oldsquid
+ originserver
+ userhash
+ sourcehash
+ name=xxx
+ monitorurl=url
+ monitorsize=sizespec
+ monitorinterval=seconds
+ monitortimeout=seconds
+ forceddomain=name
+ ssl
+ sslcert=/path/to/ssl/certificate
+ sslkey=/path/to/ssl/key
+ sslversion=1|2|3|4
+ sslcipher=...
+ ssloptions=...
+ front-end-https[=on|auto]
+ connection-auth[=on|off|auto]
- >a Client source IP address
- >A Client FQDN
- >p Client source port
- h Request header. Optional header name argument
- on the format header[:[separator]element]
- h
- un User name
- ul User name from authentication
- ui User name from ident
- us User name from SSL
- ue User name from external acl helper
- Hs HTTP status code
- Ss Squid request status (TCP_MISS etc)
- Sh Squid hierarchy status (DEFAULT_PARENT etc)
- mt MIME content type
- rm Request method (GET/POST etc)
- ru Request URL
- rv Request protocol version
- ea Log string returned by external acl
- st Request size including HTTP headers
- st Request+Reply size including HTTP headers
- % a literal % character
+ use 'proxy-only' to specify objects fetched
+ from this cache should not be saved locally.
-logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
-DOC_END
+ use 'weight=n' to affect the selection of a peer
+ during any weighted peer-selection mechanisms.
+ The weight must be an integer; default is 1,
+ larger weights are favored more.
+ This option does not affect parent selection if a peering
+ protocol is not in use.
-NAME: access_log cache_access_log
-TYPE: access_log
-LOC: Config.Log.accesslogs
-DEFAULT: none
-DOC_START
- These files log client request activities. Has a line every HTTP or
- ICP request. The format is:
- access_log [ [acl acl ...]]
- access_log none [acl acl ...]]
+ use 'ttl=n' to specify a IP multicast TTL to use
+ when sending an ICP queries to this address.
+ Only useful when sending to a multicast group.
+ Because we don't accept ICP replies from random
+ hosts, you must configure other group members as
+ peers with the 'multicast-responder' option below.
- Will log to the specified file using the specified format (which
- must be defined in a logformat directive) those entries which match
- ALL the acl's specified (which must be defined in acl clauses).
- If no acl is specified, all requests will be logged to this file.
+ use 'no-query' to NOT send ICP queries to this
+ neighbor.
- To disable logging of a request use the filepath "none", in which case
- a logformat name should not be specified.
+ use 'default' if this is a parent cache which can
+ be used as a "last-resort" if a peer cannot be located
+ by any of the peer-selection mechanisms.
+ If specified more than once, only the first is used.
- To log the request via syslog specify a filepath of "syslog":
+ use 'round-robin' to define a set of parents which
+ should be used in a round-robin fashion in the
+ absence of any ICP queries.
- access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
- where facility could be any of:
- authpriv, daemon, local0 .. local7 or user.
+ use 'carp' to define a set of parents which should
+ be used as a CARP array. The requests will be
+ distributed among the parents based on the CARP load
+ balancing hash function based on their weight.
- And priority could be any of:
- err, warning, notice, info, debug.
+ 'multicast-responder' indicates the named peer
+ is a member of a multicast group. ICP queries will
+ not be sent directly to the peer, but ICP replies
+ will be accepted from it.
- Note: 2.6.STABLE14 and earlier only supports a slightly different
- and undocumented format with all uppercase LOG_FACILITY|LOG_PRIORITY
-NOCOMMENT_START
-access_log @DEFAULT_ACCESS_LOG@ squid
-NOCOMMENT_END
-DOC_END
+ 'closest-only' indicates that, for ICP_OP_MISS
+ replies, we'll only forward CLOSEST_PARENT_MISSes
+ and never FIRST_PARENT_MISSes.
-NAME: cache_log
-TYPE: string
-DEFAULT: @DEFAULT_CACHE_LOG@
-LOC: Config.Log.log
-DOC_START
- Cache logging file. This is where general information about
- your cache's behavior goes. You can increase the amount of data
- logged to this file with the "debug_options" tag below.
-DOC_END
+ use 'no-digest' to NOT request cache digests from
+ this neighbor.
-NAME: cache_store_log
-TYPE: string
-DEFAULT: @DEFAULT_STORE_LOG@
-LOC: Config.Log.store
-DOC_START
- Logs the activities of the storage manager. Shows which
- objects are ejected from the cache, and which objects are
- saved and for how long. To disable, enter "none". There are
- not really utilities to analyze this data, so you can safely
- disable it.
-DOC_END
+ 'no-netdb-exchange' disables requesting ICMP
+ RTT database (NetDB) from the neighbor.
-NAME: cache_swap_state cache_swap_log
-TYPE: string
-LOC: Config.Log.swap
-DEFAULT: none
-DOC_START
- Location for the cache "swap.state" file. This index file holds
- the metadata of objects saved on disk. It is used to rebuild
- the cache during startup. Normally this file resides in each
- 'cache_dir' directory, but you may specify an alternate
- pathname here. Note you must give a full filename, not just
- a directory. Since this is the index for the whole object
- list you CANNOT periodically rotate it!
+ use 'no-delay' to prevent access to this neighbor
+ from influencing the delay pools.
- If %s can be used in the file name it will be replaced with a
- a representation of the cache_dir name where each / is replaced
- with '.'. This is needed to allow adding/removing cache_dir
- lines when cache_swap_log is being used.
+ use 'login=user:password' if this is a personal/workgroup
+ proxy and your parent requires proxy authentication.
+ Note: The string can include URL escapes (i.e. %20 for
+ spaces). This also means % must be written as %%.
- If have more than one 'cache_dir', and %s is not used in the name
- these swap logs will have names such as:
+ use 'login=PASS' if users must authenticate against
+ the upstream proxy or in the case of a reverse proxy
+ configuration, the origin web server. This will pass
+ the users credentials as they are to the peer.
+ Note: To combine this with local authentication the Basic
+ authentication scheme must be used, and both servers must
+ share the same user database as HTTP only allows for
+ a single login (one for proxy, one for origin server).
+ Also be warned this will expose your users proxy
+ password to the peer. USE WITH CAUTION
- cache_swap_log.00
- cache_swap_log.01
- cache_swap_log.02
+ use 'login=*:password' to pass the username to the
+ upstream cache, but with a fixed password. This is meant
+ to be used when the peer is in another administrative
+ domain, but it is still needed to identify each user.
+ The star can optionally be followed by some extra
+ information which is added to the username. This can
+ be used to identify this proxy to the peer, similar to
+ the login=username:password option above.
- The numbered extension (which is added automatically)
- corresponds to the order of the 'cache_dir' lines in this
- configuration file. If you change the order of the 'cache_dir'
- lines in this file, these index files will NOT correspond to
- the correct 'cache_dir' entry (unless you manually rename
- them). We recommend you do NOT use this option. It is
- better to keep these index files in each 'cache_dir' directory.
-DOC_END
+ use 'connect-timeout=nn' to specify a peer
+ specific connect timeout (also see the
+ peer_connect_timeout directive)
-NAME: logfile_rotate
-TYPE: int
-DEFAULT: 10
-LOC: Config.Log.rotateNumber
-DOC_START
- Specifies the number of logfile rotations to make when you
- type 'squid -k rotate'. The default is 10, which will rotate
- with extensions 0 through 9. Setting logfile_rotate to 0 will
- disable the file name rotation, but the logfiles are still closed
- and re-opened. This will enable you to rename the logfiles
- yourself just before sending the rotate signal.
+ use 'digest-url=url' to tell Squid to fetch the cache
+ digest (if digests are enabled) for this host from
+ the specified URL rather than the Squid default
+ location.
- Note, the 'squid -k rotate' command normally sends a USR1
- signal to the running squid process. In certain situations
- (e.g. on Linux with Async I/O), USR1 is used for other
- purposes, so -k rotate uses another signal. It is best to get
- in the habit of using 'squid -k rotate' instead of 'kill -USR1
- '.
-DOC_END
+ use 'allow-miss' to disable Squid's use of only-if-cached
+ when forwarding requests to siblings. This is primarily
+ useful when icp_hit_stale is used by the sibling. To
+ extensive use of this option may result in forwarding
+ loops, and you should avoid having two-way peerings
+ with this option. (for example to deny peer usage on
+ requests from peer by denying cache_peer_access if the
+ source is a peer)
-NAME: emulate_httpd_log
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: off
-LOC: Config.onoff.common_log
-DOC_START
- The Cache can emulate the log file format which many 'httpd'
- programs use. To disable/enable this emulation, set
- emulate_httpd_log to 'off' or 'on'. The default
- is to use the native log format since it includes useful
- information Squid-specific log analyzers use.
-DOC_END
+ use 'max-conn=n' to limit the amount of connections Squid
+ may open to this peer.
-NAME: log_ip_on_direct
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.log_ip_on_direct
-DOC_START
- Log the destination IP address in the hierarchy log tag when going
- direct. Earlier Squid versions logged the hostname here. If you
- prefer the old way set this to off.
-DOC_END
+ use 'htcp' to send HTCP, instead of ICP, queries
+ to the neighbor. You probably also want to
+ set the "icp port" to 4827 instead of 3130.
-NAME: mime_table
-TYPE: string
-DEFAULT: @DEFAULT_MIME_TABLE@
-LOC: Config.mimeTablePathname
-DOC_START
- Pathname to Squid's MIME table. You shouldn't need to change
- this, but the default file contains examples and formatting
- information if you do.
-DOC_END
+ use 'htcp-oldsquid' to send HTCP to old Squid versions
-NAME: log_mime_hdrs
-COMMENT: on|off
-TYPE: onoff
-LOC: Config.onoff.log_mime_hdrs
-DEFAULT: off
-DOC_START
- The Cache can record both the request and the response MIME
- headers for each HTTP transaction. The headers are encoded
- safely and will appear as two bracketed fields at the end of
- the access log (for either the native or httpd-emulated log
- formats). To enable this logging set log_mime_hdrs to 'on'.
-DOC_END
+ 'originserver' causes this parent peer to be contacted as
+ a origin server. Meant to be used in accelerator setups.
-NAME: useragent_log
-TYPE: string
-LOC: Config.Log.useragent
-DEFAULT: none
-IFDEF: USE_USERAGENT_LOG
-DOC_START
- Squid will write the User-Agent field from HTTP requests
- to the filename specified here. By default useragent_log
- is disabled.
-DOC_END
+ use 'userhash' to load-balance amongst a set of parents
+ based on the client proxy_auth or ident username.
-NAME: referer_log referrer_log
-TYPE: string
-LOC: Config.Log.referer
-DEFAULT: none
-IFDEF: USE_REFERER_LOG
-DOC_START
- Squid will write the Referer field from HTTP requests to the
- filename specified here. By default referer_log is disabled.
- Note that "referer" is actually a misspelling of "referrer"
- however the misspelt version has been accepted into the HTTP RFCs
- and we accept both.
-DOC_END
+ use 'sourcehash' to load-balance amongst a set of parents
+ based on the client source ip.
-NAME: pid_filename
-TYPE: string
-DEFAULT: @DEFAULT_PID_FILE@
-LOC: Config.pidFilename
-DOC_START
- A filename to write the process-id to. To disable, enter "none".
-DOC_END
+ use 'name=xxx' if you have multiple peers on the same
+ host but different ports. This name can be used to
+ differentiate the peers in cache_peer_access and similar
+ directives.
-NAME: debug_options
-TYPE: eol
-DEFAULT: ALL,1
-LOC: Config.debugOptions
-DOC_START
- Logging options are set as section,level where each source file
- is assigned a unique section. Lower levels result in less
- output, Full debugging (level 9) can result in a very large
- log file, so be careful. The magic word "ALL" sets debugging
- levels for all sections. We recommend normally running with
- "ALL,1".
-DOC_END
+ use 'monitorurl=url' to have periodically request a given
+ URL from the peer, and only consider the peer as alive
+ if this monitoring is successful (default none)
-NAME: log_fqdn
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: off
-LOC: Config.onoff.log_fqdn
-DOC_START
- Turn this on if you wish to log fully qualified domain names
- in the access.log. To do this Squid does a DNS lookup of all
- IP's connecting to it. This can (in some situations) increase
- latency, which makes your cache seem slower for interactive
- browsing.
-DOC_END
+ use 'monitorsize=min[-max]' to limit the size range of
+ 'monitorurl' replies considered valid. Defaults to 0 to
+ accept any size replies as valid.
-NAME: client_netmask
-TYPE: address
-LOC: Config.Addrs.client_netmask
-DEFAULT: 255.255.255.255
-DOC_START
- A netmask for client addresses in logfiles and cachemgr output.
- Change this to protect the privacy of your cache clients.
- A netmask of 255.255.255.0 will log all IP's in that range with
- the last digit set to '0'.
-DOC_END
+ use 'monitorinterval=seconds' to change frequency of
+ how often the peer is monitored with 'monitorurl'
+ (default 300 for a 5 minute interval). If set to 0
+ then monitoring is disabled even if a URL is defined.
-NAME: forward_log
-IFDEF: WIP_FWD_LOG
-TYPE: string
-DEFAULT: none
-LOC: Config.Log.forward
-DOC_START
- Logs the server-side requests.
+ use 'monitortimeout=seconds' to change the timeout of
+ 'monitorurl'. Defaults to 'monitorinterval'.
- This is currently work in progress.
-DOC_END
+ use 'forceddomain=name' to forcibly set the Host header
+ of requests forwarded to this peer. Useful in accelerator
+ setups where the server (peer) expects a certain domain
+ name and using redirectors to feed this domain name
+ is not feasible.
-NAME: strip_query_terms
-TYPE: onoff
-LOC: Config.onoff.strip_query_terms
-DEFAULT: on
-DOC_START
- By default, Squid strips query terms from requested URLs before
- logging. This protects your user's privacy.
-DOC_END
+ use 'ssl' to indicate connections to this peer should
+ be SSL/TLS encrypted.
-NAME: buffered_logs
-COMMENT: on|off
-TYPE: onoff
-DEFAULT: off
-LOC: Config.onoff.buffered_logs
-DOC_START
- cache.log log file is written with stdio functions, and as such
- it can be buffered or unbuffered. By default it will be unbuffered.
- Buffering it can speed up the writing slightly (though you are
- unlikely to need to worry unless you run with tons of debugging
- enabled in which case performance will suffer badly anyway..).
-DOC_END
+ use 'sslcert=/path/to/ssl/certificate' to specify a client
+ SSL certificate to use when connecting to this peer.
-COMMENT_START
- OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
- -----------------------------------------------------------------------------
-COMMENT_END
+ use 'sslkey=/path/to/ssl/key' to specify the private SSL
+ key corresponding to sslcert above. If 'sslkey' is not
+ specified 'sslcert' is assumed to reference a
+ combined file containing both the certificate and the key.
-NAME: ftp_user
-TYPE: string
-DEFAULT: Squid@
-LOC: Config.Ftp.anon_user
-DOC_START
- If you want the anonymous login password to be more informative
- (and enable the use of picky ftp servers), set this to something
- reasonable for your domain, like wwwuser@somewhere.net
+ use sslversion=1|2|3|4 to specify the SSL version to use
+ when connecting to this peer
+ 1 = automatic (default)
+ 2 = SSL v2 only
+ 3 = SSL v3 only
+ 4 = TLS v1 only
- The reason why this is domainless by default is the
- request can be made on the behalf of a user in any domain,
- depending on how the cache is used.
- Some ftp server also validate the email address is valid
- (for example perl.com).
-DOC_END
+ use sslcipher=... to specify the list of valid SSL ciphers
+ to use when connecting to this peer.
-NAME: ftp_list_width
-TYPE: int
-DEFAULT: 32
-LOC: Config.Ftp.list_width
-DOC_START
- Sets the width of ftp listings. This should be set to fit in
- the width of a standard browser. Setting this too small
- can cut off long filenames when browsing ftp sites.
-DOC_END
+ use ssloptions=... to specify various SSL engine options:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ See src/ssl_support.c or the OpenSSL documentation for
+ a more complete list.
-NAME: ftp_passive
-TYPE: onoff
-DEFAULT: on
-LOC: Config.Ftp.passive
-DOC_START
- If your firewall does not allow Squid to use passive
- connections, turn off this option.
-DOC_END
+ use sslcafile=... to specify a file containing
+ additional CA certificates to use when verifying the
+ peer certificate.
-NAME: ftp_sanitycheck
-TYPE: onoff
-DEFAULT: on
-LOC: Config.Ftp.sanitycheck
-DOC_START
- For security and data integrity reasons Squid by default performs
- sanity checks of the addresses of FTP data connections ensure the
- data connection is to the requested server. If you need to allow
- FTP connections to servers using another IP address for the data
- connection turn this off.
-DOC_END
+ use sslcapath=... to specify a directory containing
+ additional CA certificates to use when verifying the
+ peer certificate.
-NAME: ftp_telnet_protocol
-TYPE: onoff
-DEFAULT: on
-LOC: Config.Ftp.telnet
-DOC_START
- The FTP protocol is officially defined to use the telnet protocol
- as transport channel for the control connection. However, many
- implementations are broken and does not respect this aspect of
- the FTP protocol.
+ use sslcrlfile=... to specify a certificate revocation
+ list file to use when verifying the peer certificate.
- If you have trouble accessing files with ASCII code 255 in the
- path or similar problems involving this ASCII code you can
- try setting this directive to off. If that helps, report to the
- operator of the FTP server in question that their FTP server
- is broken and does not follow the FTP standard.
-DOC_END
+ use sslflags=... to specify various flags modifying the
+ SSL implementation:
+ DONT_VERIFY_PEER
+ Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA
+ Don't use the default CA list built in
+ to OpenSSL.
-NAME: diskd_program
-TYPE: string
-DEFAULT: @DEFAULT_DISKD@
-LOC: Config.Program.diskd
-DOC_START
- Specify the location of the diskd executable.
- Note this is only useful if you have compiled in
- diskd as one of the store io modules.
-DOC_END
+ use ssldomain= to specify the peer name as advertised
+ in it's certificate. Used for verifying the correctness
+ of the received peer certificate. If not specified the
+ peer hostname will be used.
-NAME: unlinkd_program
-IFDEF: USE_UNLINKD
-TYPE: string
-DEFAULT: @DEFAULT_UNLINKD@
-LOC: Config.Program.unlinkd
-DOC_START
- Specify the location of the executable for file deletion process.
-DOC_END
+ use front-end-https to enable the "Front-End-Https: On"
+ header needed when using Squid as a SSL frontend in front
+ of Microsoft OWA. See MS KB document Q307347 for details
+ on this header. If set to auto the header will
+ only be added if the request is forwarded as a https://
+ URL.
-NAME: pinger_program
-TYPE: string
-DEFAULT: @DEFAULT_PINGER@
-LOC: Config.Program.pinger
-IFDEF: USE_ICMP
-DOC_START
- Specify the location of the executable for the pinger process.
+ use connection-auth=off to tell Squid that this peer does
+ not support Microsoft connection oriented authentication,
+ and any such challenges received from there should be
+ ignored. Default is auto to automatically determine the
+ status of the peer.
DOC_END
-NAME: url_rewrite_program redirect_program
-TYPE: programline
-LOC: Config.Program.url_rewrite.command
+NAME: cache_peer_domain cache_host_domain
+TYPE: hostdomain
DEFAULT: none
+LOC: none
DOC_START
- Specify the location of the executable for the URL rewriter.
- Since they can perform almost any function there isn't one included.
-
- For each requested URL rewriter will receive on line with the format
-
- URL client_ip "/" fqdn user method urlgroup
-
- And the rewriter may return a rewritten URL. The other components of
- the request line does not need to be returned (ignored if they are).
+ Use to limit the domains for which a neighbor cache will be
+ queried. Usage:
- The rewriter can also indicate that a client-side redirect should
- be performed to the new URL. This is done by prefixing the returned
- URL with "301:" (moved permanently) or 302: (moved temporarily).
+ cache_peer_domain cache-host domain [domain ...]
+ cache_peer_domain cache-host !domain
- It can also return a "urlgroup" that can subsequently be matched
- in cache_peer_access and similar ACL driven rules. An urlgroup is
- returned by prefixing the returned url with "!urlgroup!"
+ For example, specifying
- By default, a URL rewriter is not used.
-DOC_END
+ cache_peer_domain parent.foo.net .edu
-NAME: url_rewrite_children redirect_children
-TYPE: int
-DEFAULT: 5
-LOC: Config.Program.url_rewrite.children
-DOC_START
- The number of redirector processes to spawn. If you start
- too few Squid will have to wait for them to process a backlog of
- URLs, slowing it down. If you start too many they will use RAM
- and other system resources.
-DOC_END
+ has the effect such that UDP query packets are sent to
+ 'bigserver' only when the requested object exists on a
+ server in the .edu domain. Prefixing the domain name
+ with '!' means the cache will be queried for objects
+ NOT in that domain.
-NAME: url_rewrite_concurrency redirect_concurrency
-TYPE: int
-DEFAULT: 0
-LOC: Config.Program.url_rewrite.concurrency
-DOC_START
- The number of requests each redirector helper can handle in
- parallel. Defaults to 0 which indicates the redirector
- is a old-style single threaded redirector.
+ NOTE: * Any number of domains may be given for a cache-host,
+ either on the same or separate lines.
+ * When multiple domains are given for a particular
+ cache-host, the first matched domain is applied.
+ * Cache hosts with no domain restrictions are queried
+ for all requests.
+ * There are no defaults.
+ * There is also a 'cache_peer_access' tag in the ACL
+ section.
DOC_END
-NAME: url_rewrite_host_header redirect_rewrites_host_header
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.redir_rewrites_host
+NAME: cache_peer_access
+TYPE: peer_access
+DEFAULT: none
+LOC: none
DOC_START
- By default Squid rewrites any Host: header in redirected
- requests. If you are running an accelerator this may
- not be a wanted effect of a redirector.
+ Similar to 'cache_peer_domain' but provides more flexibility by
+ using ACL elements.
- WARNING: Entries are cached on the result of the URL rewriting
- process, so be careful if you have domain-virtual hosts.
-DOC_END
+ cache_peer_access cache-host allow|deny [!]aclname ...
-NAME: url_rewrite_access redirector_access
-TYPE: acl_access
-DEFAULT: none
-LOC: Config.accessList.url_rewrite
-DOC_START
- If defined, this access list specifies which requests are
- sent to the redirector processes. By default all requests
- are sent.
+ The syntax is identical to 'http_access' and the other lists of
+ ACL elements. See the comments for 'http_access' below, or
+ the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
DOC_END
-NAME: location_rewrite_program
-TYPE: programline
-LOC: Config.Program.location_rewrite.command
+NAME: neighbor_type_domain
+TYPE: hostdomaintype
DEFAULT: none
+LOC: none
DOC_START
- Specify the location of the executable for the Location rewriter,
- used to rewrite server generated redirects. Usually used in
- conjunction with a url_rewrite_program
-
- For each Location header received the location rewriter will receive
- one line with the format:
-
- location URL requested URL urlgroup
+ usage: neighbor_type_domain neighbor parent|sibling domain domain ...
- And the rewriter may return a rewritten Location URL or a blank line.
- The other components of the request line does not need to be returned
- (ignored if they are).
+ Modifying the neighbor type for specific domains is now
+ possible. You can treat some domains differently than the the
+ default neighbor type specified on the 'cache_peer' line.
+ Normally it should only be necessary to list domains which
+ should be treated differently because the default neighbor type
+ applies for hostnames which do not match domains listed here.
- By default, a Location rewriter is not used.
+EXAMPLE:
+ cache_peer parent cache.foo.org 3128 3130
+ neighbor_type_domain cache.foo.org sibling .com .net
+ neighbor_type_domain cache.foo.org sibling .au .de
DOC_END
-NAME: location_rewrite_children
-TYPE: int
-DEFAULT: 5
-LOC: Config.Program.location_rewrite.children
+NAME: dead_peer_timeout
+COMMENT: (seconds)
+DEFAULT: 10 seconds
+TYPE: time_t
+LOC: Config.Timeout.deadPeer
DOC_START
- The number of location rewriting processes to spawn. If you start
- too few Squid will have to wait for them to process a backlog of
- URLs, slowing it down. If you start too many they will use RAM
- and other system resources.
-DOC_END
+ This controls how long Squid waits to declare a peer cache
+ as "dead." If there are no ICP replies received in this
+ amount of time, Squid will declare the peer dead and not
+ expect to receive any further ICP replies. However, it
+ continues to send ICP queries, and will mark the peer as
+ alive upon receipt of the first subsequent ICP reply.
-NAME: location_rewrite_concurrency
-TYPE: int
-DEFAULT: 0
-LOC: Config.Program.location_rewrite.concurrency
-DOC_START
- The number of requests each Location rewriter helper can handle in
- parallel. Defaults to 0 which indicates that the helper
- is a old-style singlethreaded helper.
+ This timeout also affects when Squid expects to receive ICP
+ replies from peers. If more than 'dead_peer' seconds have
+ passed since the last ICP reply was received, Squid will not
+ expect to receive an ICP reply on the next query. Thus, if
+ your time between requests is greater than this timeout, you
+ will see a lot of requests sent DIRECT to origin servers
+ instead of to your parents.
DOC_END
-NAME: location_rewrite_access
-TYPE: acl_access
+NAME: hierarchy_stoplist
+TYPE: wordlist
DEFAULT: none
-LOC: Config.accessList.location_rewrite
+LOC: Config.hierarchy_stoplist
DOC_START
- If defined, this access list specifies which requests are
- sent to the location rewriting processes. By default all Location
- headers are sent.
+ A list of words which, if found in a URL, cause the object to
+ be handled directly by this cache. In other words, use this
+ to not query neighbor caches for certain objects. You may
+ list this option multiple times. Note: never_direct overrides
+ this option.
+NOCOMMENT_START
+#We recommend you to use at least the following line.
+hierarchy_stoplist cgi-bin ?
+NOCOMMENT_END
DOC_END
-NAME: auth_param
-TYPE: authparam
-LOC: Config.authConfig
+NAME: cache no_cache
+TYPE: acl_access
DEFAULT: none
+LOC: Config.accessList.noCache
DOC_START
- This is used to define parameters for the various authentication
- schemes supported by Squid.
-
- format: auth_param scheme parameter [setting]
-
- The order in which authentication schemes are presented to the client is
- dependent on the order the scheme first appears in config file. IE
- has a bug (it's not RFC 2617 compliant) in that it will use the basic
- scheme if basic is the first entry presented, even if more secure
- schemes are presented. For now use the order in the recommended
- settings section below. If other browsers have difficulties (don't
- recognize the schemes offered even if you are using basic) either
- put basic first, or disable the other schemes (by commenting out their
- program entry).
-
- Once an authentication scheme is fully configured, it can only be
- shutdown by shutting squid down and restarting. Changes can be made on
- the fly and activated with a reconfigure. I.E. You can change to a
- different helper, but not unconfigure the helper completely.
-
- Please note that while this directive defines how Squid processes
- authentication it does not automatically activate authentication.
- To use authentication you must in addition make use of ACLs based
- on login name in http_access (proxy_auth, proxy_auth_regex or
- external with %LOGIN used in the format tag). The browser will be
- challenged for authentication on the first such acl encountered
- in http_access processing and will also be re-challenged for new
- login credentials if the request is being denied by a proxy_auth
- type acl.
-
- WARNING: authentication can't be used in a transparently intercepting
- proxy as the client then thinks it is talking to an origin server and
- not the proxy. This is a limitation of bending the TCP/IP protocol to
- transparently intercepting port 80, not a limitation in Squid.
-
- === Parameters for the basic scheme follow. ===
-
- "program" cmdline
- Specify the command for the external authenticator. Such a program
- reads a line containing "username password" and replies "OK" or
- "ERR" in an endless loop. "ERR" responses may optionally be followed
- by a error description available as %m in the returned error page.
-
- By default, the basic authentication scheme is not used unless a
- program is specified.
-
- If you want to use the traditional proxy authentication, jump over to
- the helpers/basic_auth/NCSA directory and type:
- % make
- % make install
-
- Then, set this line to something like
-
- auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
-
- "children" numberofchildren
- The number of authenticator processes to spawn. If you start too few
- squid will have to wait for them to process a backlog of credential
- verifications, slowing it down. When credential verifications are
- done via a (slow) network you are likely to need lots of
- authenticator processes.
- auth_param basic children 5
+ A list of ACL elements which, if matched, cause the request to
+ not be satisfied from the cache and the reply to not be cached.
+ In other words, use this to force certain objects to never be cached.
- "concurrency" numberofconcurrentrequests
- The number of concurrent requests/channels the helper supports.
- Changes the protocol used to include a channel number first on
- the request/response line, allowing multiple requests to be sent
- to the same helper in parallell without wating for the response.
- Must not be set unless it's known the helper supports this.
+ You must use the word 'DENY' to indicate the ACL names which should
+ NOT be cached.
- "realm" realmstring
- Specifies the realm name which is to be reported to the client for
- the basic proxy authentication scheme (part of the text the user
- will see when prompted their username and password).
- auth_param basic realm Squid proxy-caching web server
+ Default is to allow all to be cached
+NOCOMMENT_START
+#We recommend you to use the following two lines.
+acl QUERY urlpath_regex cgi-bin \?
+cache deny QUERY
+NOCOMMENT_END
+DOC_END
- "credentialsttl" timetolive
- Specifies how long squid assumes an externally validated
- username:password pair is valid for - in other words how often the
- helper program is called for that user. Set this low to force
- revalidation with short lived passwords. Note that setting this high
- does not impact your susceptibility to replay attacks unless you are
- using an one-time password system (such as SecureID). If you are using
- such a system, you will be vulnerable to replay attacks unless you
- also use the max_user_ip ACL in an http_access rule.
- auth_param basic credentialsttl 2 hours
+COMMENT_START
+ MEMORY CACHE OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
- "casesensitive" on|off
- Specifies if usernames are case sensitive. Most user databases are
- case insensitive allowing the same username to be spelled using both
- lower and upper case letters, but some are case sensitive. This
- makes a big difference for user_max_ip ACL processing and similar.
- auth_param basic casesensitive off
+NAME: cache_mem
+COMMENT: (bytes)
+TYPE: b_size_t
+DEFAULT: 8 MB
+LOC: Config.memMaxSize
+DOC_START
+ NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
+ IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
+ USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
+ THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
- "blankpassword" on|off
- Specifies if blank passwords should be supported. Defaults to off
- as there is multiple authentication backends which handles blank
- passwords as "guest" access.
+ 'cache_mem' specifies the ideal amount of memory to be used
+ for:
+ * In-Transit objects
+ * Hot Objects
+ * Negative-Cached objects
- === Parameters for the digest scheme follow ===
+ Data for these objects are stored in 4 KB blocks. This
+ parameter specifies the ideal upper limit on the total size of
+ 4 KB blocks allocated. In-Transit objects take the highest
+ priority.
- "program" cmdline
- Specify the command for the external authenticator. Such a program
- reads a line containing "username":"realm" and replies with the
- appropriate H(A1) value hex encoded or ERR if the user (or his H(A1)
- hash) does not exists. See RFC 2616 for the definition of H(A1).
- "ERR" responses may optionally be followed by a error description
- available as %m in the returned error page.
+ In-transit objects have priority over the others. When
+ additional space is needed for incoming data, negative-cached
+ and hot objects will be released. In other words, the
+ negative-cached and hot objects will fill up any unused space
+ not needed for in-transit objects.
- By default, the digest authentication scheme is not used unless a
- program is specified.
+ If circumstances require, this limit will be exceeded.
+ Specifically, if your incoming request rate requires more than
+ 'cache_mem' of memory to hold in-transit objects, Squid will
+ exceed this limit to satisfy the new requests. When the load
+ decreases, blocks will be freed until the high-water mark is
+ reached. Thereafter, blocks will be used to store hot
+ objects.
+DOC_END
- If you want to use a digest authenticator, jump over to the
- helpers/digest_auth/ directory and choose the authenticator to use.
- It it's directory type
- % make
- % make install
+NAME: maximum_object_size_in_memory
+COMMENT: (bytes)
+TYPE: b_size_t
+DEFAULT: 8 KB
+LOC: Config.Store.maxInMemObjSize
+DOC_START
+ Objects greater than this size will not be attempted to kept in
+ the memory cache. This should be set high enough to keep objects
+ accessed frequently in memory to improve performance whilst low
+ enough to keep larger objects from hoarding cache_mem.
+DOC_END
- Then, set this line to something like
+NAME: memory_replacement_policy
+TYPE: removalpolicy
+LOC: Config.memPolicy
+DEFAULT: lru
+DOC_START
+ The memory replacement policy parameter determines which
+ objects are purged from memory when memory space is needed.
- auth_param digest program @DEFAULT_PREFIX@/libexec/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass
+ See cache_replacement_policy for details.
+DOC_END
- "children" numberofchildren
- The number of authenticator processes to spawn. If you start too few
- squid will have to wait for them to process a backlog of credential
- verifications, slowing it down. When credential verifications are
- done via a (slow) network you are likely to need lots of
- authenticator processes.
- auth_param digest children 5
+COMMENT_START
+ DISK CACHE OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
- "concurrency" numberofconcurrentrequests
- The number of concurrent requests/channels the helper supports.
- Changes the protocol used to include a channel number first on
- the request/response line, allowing multiple requests to be sent
- to the same helper in parallell without wating for the response.
- Must not be set unless it's known the helper supports this.
+NAME: cache_replacement_policy
+TYPE: removalpolicy
+LOC: Config.replPolicy
+DEFAULT: lru
+DOC_START
+ The cache replacement policy parameter determines which
+ objects are evicted (replaced) when disk space is needed.
- "realm" realmstring
- Specifies the realm name which is to be reported to the client for the
- digest proxy authentication scheme (part of the text the user will see
- when prompted their username and password).
- auth_param digest realm Squid proxy-caching web server
+ lru : Squid's original list based LRU policy
+ heap GDSF : Greedy-Dual Size Frequency
+ heap LFUDA: Least Frequently Used with Dynamic Aging
+ heap LRU : LRU policy implemented using a heap
- "nonce_garbage_interval" timeinterval
- Specifies the interval that nonces that have been issued to clients are
- checked for validity.
- auth_param digest nonce_garbage_interval 5 minutes
+ Applies to any cache_dir lines listed below this.
- "nonce_max_duration" timeinterval
- Specifies the maximum length of time a given nonce will be valid for.
- auth_param digest nonce_max_duration 30 minutes
+ The LRU policies keeps recently referenced objects.
- "nonce_max_count" number
- Specifies the maximum number of times a given nonce can be used.
- auth_param digest nonce_max_count 50
+ The heap GDSF policy optimizes object hit rate by keeping smaller
+ popular objects in cache so it has a better chance of getting a
+ hit. It achieves a lower byte hit rate than LFUDA though since
+ it evicts larger (possibly popular) objects.
- "nonce_strictness" on|off
- Determines if squid requires strict increment-by-1 behavior for nonce
- counts, or just incrementing (off - for use when useragents generate
- nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
- auth_param digest nonce_strictness off
+ The heap LFUDA policy keeps popular objects in cache regardless of
+ their size and thus optimizes byte hit rate at the expense of
+ hit rate since one large, popular object will prevent many
+ smaller, slightly less popular objects from being cached.
- "check_nonce_count" on|off
- This directive if set to off can disable the nonce count check
- completely to work around buggy digest qop implementations in certain
- mainstream browser versions. Default on to check the nonce count to
- protect from authentication replay attacks.
- auth_param digest check_nonce_count on
+ Both policies utilize a dynamic aging mechanism that prevents
+ cache pollution that can otherwise occur with frequency-based
+ replacement policies.
- "post_workaround" on|off
- This is a workaround to certain buggy browsers who sends an incorrect
- request digest in POST requests when reusing the same nonce as acquired
- earlier in response to a GET request.
- auth_param digest post_workaround off
+ NOTE: if using the LFUDA replacement policy you should increase
+ the value of maximum_object_size above its default of 4096 KB to
+ to maximize the potential byte hit rate improvement of LFUDA.
- === NTLM scheme options follow ===
+ For more information about the GDSF and LFUDA cache replacement
+ policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
+ and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
+DOC_END
- "program" cmdline
- Specify the command for the external NTLM authenticator. Such a
- program participates in the NTLMSSP exchanges between Squid and the
- client and reads commands according to the Squid NTLMSSP helper
- protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
- authenticator is ntlm_auth from Samba-3.X, but a number of other
- ntlm authenticators is available.
+NAME: cache_dir
+TYPE: cachedir
+DEFAULT: none
+DEFAULT_IF_NONE: ufs @DEFAULT_SWAP_DIR@ 100 16 256
+LOC: Config.cacheSwap
+DOC_START
+ Usage:
- By default, the ntlm authentication scheme is not used unless a
- program is specified.
+ cache_dir Type Directory-Name Fs-specific-data [options]
- auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
+ You can specify multiple cache_dir lines to spread the
+ cache among different disk partitions.
- "children" numberofchildren
- The number of authenticator processes to spawn. If you start too few
- squid will have to wait for them to process a backlog of credential
- verifications, slowing it down. When credential verifications are
- done via a (slow) network you are likely to need lots of
- authenticator processes.
- auth_param ntlm children 5
+ Type specifies the kind of storage system to use. Only "ufs"
+ is built by default. To enable any of the other storage systems
+ see the --enable-storeio configure option.
- "keep_alive" on|off
- This option enables the use of keep-alive on the initial
- authentication request. It has been reported some versions of MSIE
- have problems if this is enabled, but performance will be increased
- if enabled.
+ 'Directory' is a top-level directory where cache swap
+ files will be stored. If you want to use an entire disk
+ for caching, this can be the mount-point directory.
+ The directory must exist and be writable by the Squid
+ process. Squid will NOT create this directory for you.
+ Only using COSS, a raw disk device or a stripe file can
+ be specified, but the configuration of the "cache_swap_log"
+ tag is mandatory.
- auth_param ntlm keep_alive on
+ The ufs store type:
- === Negotiate scheme options follow ===
+ "ufs" is the old well-known Squid storage format that has always
+ been there.
- "program" cmdline
- Specify the command for the external Negotiate authenticator. Such a
- program participates in the SPNEGO exchanges between Squid and the
- client and reads commands according to the Squid ntlmssp helper
- protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
- authenticator is ntlm_auth from Samba-4.X.
+ cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+
+ 'Mbytes' is the amount of disk space (MB) to use under this
+ directory. The default is 100 MB. Change this to suit your
+ configuration. Do NOT put the size of your disk drive here.
+ Instead, if you want Squid to use the entire disk drive,
+ subtract 20% and use that value.
+
+ 'Level-1' is the number of first-level subdirectories which
+ will be created under the 'Directory'. The default is 16.
- By default, the Negotiate authentication scheme is not used unless a
- program is specified.
+ 'Level-2' is the number of second-level subdirectories which
+ will be created under each first-level directory. The default
+ is 256.
- auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
+ The aufs store type:
- "children" numberofchildren
- The number of authenticator processes to spawn. If you start too few
- squid will have to wait for them to process a backlog of credential
- verifications, slowing it down. When credential verifications are
- done via a (slow) network you are likely to need lots of
- authenticator processes.
- auth_param negotiate children 5
+ "aufs" uses the same storage format as "ufs", utilizing
+ POSIX-threads to avoid blocking the main Squid process on
+ disk-I/O. This was formerly known in Squid as async-io.
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using the
- Negotiate authentication scheme then you can try setting this to
- off. This will cause Squid to forcibly close the connection on
- the initial requests where the browser asks which schemes are
- supported by the proxy.
+ cache_dir aufs Directory-Name Mbytes L1 L2 [options]
- auth_param negotiate keep_alive on
+ see argument descriptions under ufs above
-NOCOMMENT_START
-#Recommended minimum configuration per scheme:
-#auth_param negotiate program
-#auth_param negotiate children 5
-#auth_param negotiate keep_alive on
-#auth_param ntlm program
-#auth_param ntlm children 5
-#auth_param ntlm keep_alive on
-#auth_param digest program
-#auth_param digest children 5
-#auth_param digest realm Squid proxy-caching web server
-#auth_param digest nonce_garbage_interval 5 minutes
-#auth_param digest nonce_max_duration 30 minutes
-#auth_param digest nonce_max_count 50
-#auth_param basic program
-#auth_param basic children 5
-#auth_param basic realm Squid proxy-caching web server
-#auth_param basic credentialsttl 2 hours
-#auth_param basic casesensitive off
-NOCOMMENT_END
-DOC_END
+ The diskd store type:
-NAME: authenticate_cache_garbage_interval
-TYPE: time_t
-DEFAULT: 1 hour
-LOC: Config.authenticateGCInterval
-DOC_START
- The time period between garbage collection across the username cache.
- This is a tradeoff between memory utilization (long intervals - say
- 2 days) and CPU (short intervals - say 1 minute). Only change if you
- have good reason to.
-DOC_END
+ "diskd" uses the same storage format as "ufs", utilizing a
+ separate process to avoid blocking the main Squid process on
+ disk-I/O.
-NAME: authenticate_ttl
-TYPE: time_t
-DEFAULT: 1 hour
-LOC: Config.authenticateTTL
-DOC_START
- The time a user & their credentials stay in the logged in user cache
- since their last request. When the garbage interval passes, all user
- credentials that have passed their TTL are removed from memory.
-DOC_END
+ cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
-NAME: authenticate_ip_ttl
-TYPE: time_t
-LOC: Config.authenticateIpTTL
-DEFAULT: 0 seconds
-DOC_START
- If you use proxy authentication and the 'max_user_ip' ACL, this
- directive controls how long Squid remembers the IP addresses
- associated with each user. Use a small value (e.g., 60 seconds) if
- your users might change addresses quickly, as is the case with
- dialups. You might be safe using a larger value (e.g., 2 hours) in a
- corporate LAN environment with relatively static address assignments.
-DOC_END
+ see argument descriptions under ufs above
-NAME: external_acl_type
-TYPE: externalAclHelper
-LOC: Config.externalAclHelperList
-DEFAULT: none
-DOC_START
- This option defines external acl classes using a helper program to
- look up the status
+ Q1 specifies the number of unacknowledged I/O requests when Squid
+ stops opening new files. If this many messages are in the queues,
+ Squid won't open new files. Default is 64
- external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
+ Q2 specifies the number of unacknowledged messages when Squid
+ starts blocking. If this many messages are in the queues,
+ Squid blocks until it receives some replies. Default is 72
- Options:
+ When Q1 < Q2 (the default), the cache directory is optimized
+ for lower response time at the expense of a decrease in hit
+ ratio. If Q1 > Q2, the cache directory is optimized for
+ higher hit ratio at the expense of an increase in response
+ time.
- ttl=n TTL in seconds for cached results (defaults to 3600
- for 1 hour)
- negative_ttl=n
- TTL for cached negative lookups (default same
- as ttl)
- children=n number of processes spawn to service external acl
- lookups of this type. (default 5).
- concurrency=n concurrency level per process. Only used with helpers
- capable of processing more than one query at a time.
- Note: see compatibility note below
- cache=n result cache size, 0 is unbounded (default)
- grace= Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default 0 for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+ The coss store type:
- FORMAT specifications
+ block-size=n defines the "block size" for COSS cache_dir's.
+ Squid uses file numbers as block numbers. Since file numbers
+ are limited to 24 bits, the block size determines the maximum
+ size of the COSS partition. The default is 512 bytes, which
+ leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
+ you should not change the COSS block size after Squid
+ has written some objects to the cache_dir.
- %LOGIN Authenticated user login name
- %EXT_USER Username from external acl
- %IDENT Ident user name
- %SRC Client IP
- %SRCPORT Client source port
- %DST Requested host
- %PROTO Requested protocol
- %PORT Requested port
- %METHOD Request method
- %MYADDR Squid interface address
- %MYPORT Squid http_port number
- %PATH Requested URL-path (including query-string if any)
- %USER_CERT SSL User certificate in PEM format
- %USER_CERTCHAIN SSL User certificate chain in PEM format
- %USER_CERT_xx SSL User certificate subject attribute xx
- %USER_CA_xx SSL User certificate issuer attribute xx
- %{Header} HTTP request header
- %{Hdr:member} HTTP request header list member
- %{Hdr:;member}
- HTTP request header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
- %ACL The ACL name
- %DATA The ACL arguments. If not used then any arguments
- is automatically added at the end
+ overwrite-percent=n defines the percentage of disk that COSS
+ must write to before a given object will be moved to the
+ current stripe. A value of "n" closer to 100 will cause COSS
+ to waste less disk space by having multiple copies of an object
+ on disk, but will increase the chances of overwriting a popular
+ object as COSS overwrites stripes. A value of "n" close to 0
+ will cause COSS to keep all current objects in the current COSS
+ stripe at the expense of the hit rate. The default value of 50
+ will allow any given object to be stored on disk a maximum of
+ 2 times.
- In addition to the above, any string specified in the referencing
- acl will also be included in the helper request line, after the
- specified formats (see the "acl external" directive)
+ max-stripe-waste=n defines the maximum amount of space that COSS
+ will waste in a given stripe (in bytes). When COSS writes data
+ to disk, it will potentially waste up to "max-size" worth of disk
+ space for each 1MB of data written. If "max-size" is set to a
+ large value (ie >256k), this could potentially result in large
+ amounts of wasted disk space. Setting this value to a lower value
+ (ie 64k or 32k) will result in a COSS disk refusing to cache
+ larger objects until the COSS stripe has been filled to within
+ "max-stripe-waste" of the maximum size (1MB).
- The helper receives lines per the above format specification,
- and returns lines starting with OK or ERR indicating the validity
- of the request and optionally followed by additional keywords with
- more details.
+ membufs=n defines the number of "memory-only" stripes that COSS
+ will use. When an cache hit is performed on a COSS stripe before
+ COSS has reached the overwrite-percent value for that object,
+ COSS will use a series of memory buffers to hold the object in
+ while the data is sent to the client. This will define the maximum
+ number of memory-only buffers that COSS will use. The default value
+ is 10, which will use a maximum of 10MB of memory for buffers.
- General result syntax:
+ maxfullbufs=n defines the maximum number of stripes a COSS partition
+ will have in memory waiting to be freed (either because the disk is
+ under load and the stripe is unwritten, or because clients are still
+ transferring data from objects using the memory). In order to try
+ and maintain a good hit rate under load, COSS will reserve the last
+ 2 full stripes for object hits. (ie a COSS cache_dir will reject
+ new objects when the number of full stripes is 2 less than maxfullbufs)
- OK/ERR keyword=value ...
+ The null store type:
- Defined keywords:
+ no options are allowed or required
- user= The users name (login also understood)
- password= The users password (for PROXYPASS login= cache_peer)
- message= Error message or similar used as %o in error messages
- (error also understood)
- log= String to be logged in access.log. Available as
- %ea in logformat specifications
+ Common options:
- If protocol=3.0 (the default) then URL escaping is used to protect
- each value in both requests and responses.
+ read-only, no new objects should be stored to this cache_dir
- If using protocol=2.5 then all values need to be enclosed in quotes
- if they may contain whitespace, or the whitespace escaped using \.
- And quotes or \ characters within the keyword value must be \ escaped.
+ min-size=n, refers to the min object size this storedir will accept.
+ It's used to restrict a storedir to only store large objects
+ (e.g. aufs) while other storedirs are optimized for smaller objects
+ (e.g. COSS). Defaults to 0.
- When using the concurrency= option the protocol is changed by
- introducing a query channel tag infront of the request/response.
- The query channel tag is a number between 0 and concurrency-1.
+ max-size=n, refers to the max object size this storedir supports.
+ It is used to initially choose the storedir to dump the object.
+ Note: To make optimal use of the max-size limits you should order
+ the cache_dir lines with the smallest max-size value first and the
+ ones with no max-size specification last.
- Compatibility Note: The children= option was named concurrency= in
- Squid-2.5.STABLE3 and earlier, and was accepted as an alias for the
- duration of the Squid-2.5 releases to keep compatibility. However,
- the meaning of concurrency= option has changed in Squid-2.6 to match
- that of Squid-3 and the old syntax no longer works.
+ Note that for coss, max-size must be less than COSS_MEMBUF_SZ
+ (hard coded at 1 MB).
DOC_END
-COMMENT_START
- OPTIONS FOR TUNING THE CACHE
- -----------------------------------------------------------------------------
-COMMENT_END
+NAME: store_dir_select_algorithm
+TYPE: string
+LOC: Config.store_dir_select_algorithm
+DEFAULT: least-load
+DOC_START
+ Set this to 'round-robin' as an alternative.
+DOC_END
-NAME: request_header_max_size
-COMMENT: (KB)
-TYPE: b_size_t
-DEFAULT: 20 KB
-LOC: Config.maxRequestHeaderSize
+NAME: max_open_disk_fds
+TYPE: int
+LOC: Config.max_open_disk_fds
+DEFAULT: 0
DOC_START
- This specifies the maximum size for HTTP headers in a request.
- Request headers are usually relatively small (about 512 bytes).
- Placing a limit on the request header size will catch certain
- bugs (for example with persistent connections) and possibly
- buffer-overflow or denial-of-service attacks.
+ To avoid having disk as the I/O bottleneck Squid can optionally
+ bypass the on-disk cache if more than this amount of disk file
+ descriptors are open.
+
+ A value of 0 indicates no limit.
DOC_END
-NAME: request_body_max_size
-COMMENT: (KB)
+NAME: minimum_object_size
+COMMENT: (bytes)
TYPE: b_size_t
DEFAULT: 0 KB
-LOC: Config.maxRequestBodySize
+LOC: Config.Store.minObjectSize
DOC_START
- This specifies the maximum size for an HTTP request body.
- In other words, the maximum size of a PUT/POST request.
- A user who attempts to send a request with a body larger
- than this limit receives an "Invalid Request" error message.
- If you set this parameter to a zero (the default), there will
- be no limit imposed.
+ Objects smaller than this size will NOT be saved on disk. The
+ value is specified in kilobytes, and the default is 0 KB, which
+ means there is no minimum.
DOC_END
-NAME: refresh_pattern
-TYPE: refreshpattern
-LOC: Config.Refresh
-DEFAULT: none
+NAME: maximum_object_size
+COMMENT: (bytes)
+TYPE: b_size_t
+DEFAULT: 4096 KB
+LOC: Config.Store.maxObjectSize
DOC_START
- usage: refresh_pattern [-i] regex min percent max [options]
+ Objects larger than this size will NOT be saved on disk. The
+ value is specified in kilobytes, and the default is 4MB. If
+ you wish to get a high BYTES hit ratio, you should probably
+ increase this (one 32 MB object hit counts for 3200 10KB
+ hits). If you wish to increase speed more than your want to
+ save bandwidth you should leave this low.
- By default, regular expressions are CASE-SENSITIVE. To make
- them case-insensitive, use the -i option.
+ NOTE: if using the LFUDA replacement policy you should increase
+ this value to maximize the byte hit rate improvement of LFUDA!
+ See replacement_policy below for a discussion of this policy.
+DOC_END
- 'Min' is the time (in minutes) an object without an explicit
- expiry time should be considered fresh. The recommended
- value is 0, any higher values may cause dynamic applications
- to be erroneously cached unless the application designer
- has taken the appropriate actions.
+NAME: cache_swap_low
+COMMENT: (percent, 0-100)
+TYPE: int
+DEFAULT: 90
+LOC: Config.Swap.lowWaterMark
+DOC_NONE
- 'Percent' is a percentage of the objects age (time since last
- modification age) an object without explicit expiry time
- will be considered fresh.
+NAME: cache_swap_high
+COMMENT: (percent, 0-100)
+TYPE: int
+DEFAULT: 95
+LOC: Config.Swap.highWaterMark
+DOC_START
- 'Max' is an upper limit on how long objects without an explicit
- expiry time will be considered fresh.
+ The low- and high-water marks for cache object replacement.
+ Replacement begins when the swap (disk) usage is above the
+ low-water mark and attempts to maintain utilization near the
+ low-water mark. As swap utilization gets close to high-water
+ mark object eviction becomes more aggressive. If utilization is
+ close to the low-water mark less replacement is done each time.
- options: override-expire
- override-lastmod
- reload-into-ims
- ignore-reload
- ignore-no-cache
- ignore-private
- ignore-auth
+ Defaults are 90% and 95%. If you have a large cache, 5% could be
+ hundreds of MB. If this is the case you may wish to set these
+ numbers closer together.
+DOC_END
- override-expire enforces min age even if the server
- sent a Expires: header. Doing this VIOLATES the HTTP
- standard. Enabling this feature could make you liable
- for problems which it causes.
+COMMENT_START
+ LOGFILE OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
- override-lastmod enforces min age even on objects
- that were modified recently.
+NAME: logformat
+TYPE: logformat
+LOC: Config.Log.logformats
+DEFAULT: none
+DOC_START
+ Usage:
- reload-into-ims changes client no-cache or ``reload''
- to If-Modified-Since requests. Doing this VIOLATES the
- HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
+ logformat
- ignore-reload ignores a client no-cache or ``reload''
- header. Doing this VIOLATES the HTTP standard. Enabling
- this feature could make you liable for problems which
- it causes.
+ Defines an access log format.
- ignore-no-cache ignores any ``Pragma: no-cache'' and
- ``Cache-control: no-cache'' headers received from a server.
- The HTTP RFC never allows the use of this (Pragma) header
- from a server, only a client, though plenty of servers
- send it anyway.
+ The is a string with embedded % format codes
- ignore-private ignores any ``Cache-control: private''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
+ % format codes all follow the same basic structure where all but
+ the formatcode is optional. Output strings are automatically escaped
+ as required according to their context and the output format
+ modifiers are usually not needed, but can be specified if an explicit
+ output format is desired.
- ignore-auth caches responses to requests with authorization,
- as if the originserver had sent ``Cache-control: public''
- in the response header. Doing this VIOLATES the HTTP standard.
- Enabling this feature could make you liable for problems which
- it causes.
+ % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
- Basically a cached object is:
+ " output in quoted string format
+ [ output in squid text log format as used by log_mime_hdrs
+ # output in URL quoted format
+ ' output as-is
- FRESH if expires < now, else STALE
- STALE if age > max
- FRESH if lm-factor < percent, else STALE
- FRESH if age < min
- else STALE
+ - left aligned
+ width field width. If starting with 0 the
+ output is zero padded
+ {arg} argument such as header name etc
- The refresh_pattern lines are checked in the order listed here.
- The first entry which matches is used. If none of the entries
- match the default will be used.
+ Format codes:
- Note, you must uncomment all the default lines if you want
- to change one. The default setting is only active if none is
- used.
+ >a Client source IP address
+ >A Client FQDN
+ >p Client source port
+ h Request header. Optional header name argument
+ on the format header[:[separator]element]
+ h
+ un User name
+ ul User name from authentication
+ ui User name from ident
+ us User name from SSL
+ ue User name from external acl helper
+ Hs HTTP status code
+ Ss Squid request status (TCP_MISS etc)
+ Sh Squid hierarchy status (DEFAULT_PARENT etc)
+ mt MIME content type
+ rm Request method (GET/POST etc)
+ ru Request URL
+ rv Request protocol version
+ ea Log string returned by external acl
+ st Request size including HTTP headers
+ st Request+Reply size including HTTP headers
+ % a literal % character
-Suggested default:
-NOCOMMENT_START
-refresh_pattern ^ftp: 1440 20% 10080
-refresh_pattern ^gopher: 1440 0% 1440
-refresh_pattern . 0 20% 4320
-NOCOMMENT_END
+logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
DOC_END
-NAME: quick_abort_min
-COMMENT: (KB)
-TYPE: kb_size_t
-DEFAULT: 16 KB
-LOC: Config.quickAbort.min
-DOC_NONE
-
-NAME: quick_abort_max
-COMMENT: (KB)
-TYPE: kb_size_t
-DEFAULT: 16 KB
-LOC: Config.quickAbort.max
-DOC_NONE
-
-NAME: quick_abort_pct
-COMMENT: (percent)
-TYPE: int
-DEFAULT: 95
-LOC: Config.quickAbort.pct
+NAME: access_log cache_access_log
+TYPE: access_log
+LOC: Config.Log.accesslogs
+DEFAULT: none
DOC_START
- The cache by default continues downloading aborted requests
- which are almost completed (less than 16 KB remaining). This
- may be undesirable on slow (e.g. SLIP) links and/or very busy
- caches. Impatient users may tie up file descriptors and
- bandwidth by repeatedly requesting and immediately aborting
- downloads.
+ These files log client request activities. Has a line every HTTP or
+ ICP request. The format is:
+ access_log [ [acl acl ...]]
+ access_log none [acl acl ...]]
- When the user aborts a request, Squid will check the
- quick_abort values to the amount of data transfered until
- then.
+ Will log to the specified file using the specified format (which
+ must be defined in a logformat directive) those entries which match
+ ALL the acl's specified (which must be defined in acl clauses).
+ If no acl is specified, all requests will be logged to this file.
- If the transfer has less than 'quick_abort_min' KB remaining,
- it will finish the retrieval.
+ To disable logging of a request use the filepath "none", in which case
+ a logformat name should not be specified.
- If the transfer has more than 'quick_abort_max' KB remaining,
- it will abort the retrieval.
+ To log the request via syslog specify a filepath of "syslog":
- If more than 'quick_abort_pct' of the transfer has completed,
- it will finish the retrieval.
+ access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
+ where facility could be any of:
+ authpriv, daemon, local0 .. local7 or user.
- If you do not want any retrieval to continue after the client
- has aborted, set both 'quick_abort_min' and 'quick_abort_max'
- to '0 KB'.
+ And priority could be any of:
+ err, warning, notice, info, debug.
- If you want retrievals to always continue if they are being
- cached set 'quick_abort_min' to '-1 KB'.
+ Note: 2.6.STABLE14 and earlier only supports a slightly different
+ and undocumented format with all uppercase LOG_FACILITY|LOG_PRIORITY
+NOCOMMENT_START
+access_log @DEFAULT_ACCESS_LOG@ squid
+NOCOMMENT_END
DOC_END
-NAME: read_ahead_gap
-COMMENT: buffer-size
-TYPE: b_size_t
-LOC: Config.readAheadGap
-DEFAULT: 16 KB
+NAME: log_access
+TYPE: acl_access
+LOC: Config.accessList.log
+DEFAULT: none
+COMMENT: allow|deny acl acl...
DOC_START
- The amount of data the cache will buffer ahead of what has been
- sent to the client when retrieving an object from another server.
+ This options allows you to control which requests gets logged
+ to access.log (see access_log directive). Requests denied for
+ logging will also not be accounted for in performance counters.
DOC_END
-NAME: negative_ttl
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.negativeTtl
-DEFAULT: 5 minutes
+NAME: cache_log
+TYPE: string
+DEFAULT: @DEFAULT_CACHE_LOG@
+LOC: Config.Log.log
DOC_START
- Time-to-Live (TTL) for failed requests. Certain types of
- failures (such as "connection refused" and "404 Not Found") are
- negatively-cached for a configurable amount of time. The
- default is 5 minutes. Note that this is different from
- negative caching of DNS lookups.
+ Cache logging file. This is where general information about
+ your cache's behavior goes. You can increase the amount of data
+ logged to this file with the "debug_options" tag below.
DOC_END
-NAME: positive_dns_ttl
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.positiveDnsTtl
-DEFAULT: 6 hours
+NAME: cache_store_log
+TYPE: string
+DEFAULT: @DEFAULT_STORE_LOG@
+LOC: Config.Log.store
DOC_START
- Upper limit on how long Squid will cache positive DNS responses.
- Default is 6 hours (360 minutes). This directive must be set
- larger than negative_dns_ttl.
+ Logs the activities of the storage manager. Shows which
+ objects are ejected from the cache, and which objects are
+ saved and for how long. To disable, enter "none". There are
+ not really utilities to analyze this data, so you can safely
+ disable it.
DOC_END
-NAME: negative_dns_ttl
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.negativeDnsTtl
-DEFAULT: 1 minute
+NAME: cache_swap_state cache_swap_log
+TYPE: string
+LOC: Config.Log.swap
+DEFAULT: none
DOC_START
- Time-to-Live (TTL) for negative caching of failed DNS lookups.
- This also sets the lower cache limit on positive lookups.
- Minimum value is 1 second, and it is not recommendable to go
- much below 10 seconds.
-DOC_END
+ Location for the cache "swap.state" file. This index file holds
+ the metadata of objects saved on disk. It is used to rebuild
+ the cache during startup. Normally this file resides in each
+ 'cache_dir' directory, but you may specify an alternate
+ pathname here. Note you must give a full filename, not just
+ a directory. Since this is the index for the whole object
+ list you CANNOT periodically rotate it!
-NAME: range_offset_limit
-COMMENT: (bytes)
-TYPE: b_size_t
-LOC: Config.rangeOffsetLimit
-DEFAULT: 0 KB
-DOC_START
- Sets a upper limit on how far into the the file a Range request
- may be to cause Squid to prefetch the whole file. If beyond this
- limit Squid forwards the Range request as it is and the result
- is NOT cached.
+ If %s can be used in the file name it will be replaced with a
+ a representation of the cache_dir name where each / is replaced
+ with '.'. This is needed to allow adding/removing cache_dir
+ lines when cache_swap_log is being used.
- This is to stop a far ahead range request (lets say start at 17MB)
- from making Squid fetch the whole object up to that point before
- sending anything to the client.
+ If have more than one 'cache_dir', and %s is not used in the name
+ these swap logs will have names such as:
- A value of -1 causes Squid to always fetch the object from the
- beginning so it may cache the result. (2.0 style)
+ cache_swap_log.00
+ cache_swap_log.01
+ cache_swap_log.02
- A value of 0 causes Squid to never fetch more than the
- client requested. (default)
+ The numbered extension (which is added automatically)
+ corresponds to the order of the 'cache_dir' lines in this
+ configuration file. If you change the order of the 'cache_dir'
+ lines in this file, these index files will NOT correspond to
+ the correct 'cache_dir' entry (unless you manually rename
+ them). We recommend you do NOT use this option. It is
+ better to keep these index files in each 'cache_dir' directory.
DOC_END
-NAME: minimum_expiry_time
-COMMENT: (seconds)
-TYPE: time_t
-LOC: Config.minimum_expiry_time
-DEFAULT: 60 seconds
+NAME: logfile_rotate
+TYPE: int
+DEFAULT: 10
+LOC: Config.Log.rotateNumber
DOC_START
- The minimum caching time according to (Expires - Date)
- Headers Squid honors if the object can't be revalidated
- defaults to 60 seconds. In reverse proxy enorinments it
- might be desirable to honor shorter object lifetimes. It
- is most likely better to make your server return a
- meaningful Last-Modified header however.
+ Specifies the number of logfile rotations to make when you
+ type 'squid -k rotate'. The default is 10, which will rotate
+ with extensions 0 through 9. Setting logfile_rotate to 0 will
+ disable the file name rotation, but the logfiles are still closed
+ and re-opened. This will enable you to rename the logfiles
+ yourself just before sending the rotate signal.
+
+ Note, the 'squid -k rotate' command normally sends a USR1
+ signal to the running squid process. In certain situations
+ (e.g. on Linux with Async I/O), USR1 is used for other
+ purposes, so -k rotate uses another signal. It is best to get
+ in the habit of using 'squid -k rotate' instead of 'kill -USR1
+ '.
DOC_END
-NAME: store_avg_object_size
-COMMENT: (kbytes)
-TYPE: kb_size_t
-DEFAULT: 13 KB
-LOC: Config.Store.avgObjectSize
+NAME: emulate_httpd_log
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.common_log
DOC_START
- Average object size, used to estimate number of objects your
- cache can hold. The default is 13 KB.
+ The Cache can emulate the log file format which many 'httpd'
+ programs use. To disable/enable this emulation, set
+ emulate_httpd_log to 'off' or 'on'. The default
+ is to use the native log format since it includes useful
+ information Squid-specific log analyzers use.
DOC_END
-NAME: store_objects_per_bucket
-TYPE: int
-DEFAULT: 20
-LOC: Config.Store.objectsPerBucket
+NAME: log_ip_on_direct
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.log_ip_on_direct
DOC_START
- Target number of objects per bucket in the store hash table.
- Lowering this value increases the total number of buckets and
- also the storage maintenance rate. The default is 20.
+ Log the destination IP address in the hierarchy log tag when going
+ direct. Earlier Squid versions logged the hostname here. If you
+ prefer the old way set this to off.
DOC_END
-COMMENT_START
- HTTP OPTIONS
- -----------------------------------------------------------------------------
-COMMENT_END
-
-NAME: broken_posts
-TYPE: acl_access
-DEFAULT: none
-LOC: Config.accessList.brokenPosts
+NAME: mime_table
+TYPE: string
+DEFAULT: @DEFAULT_MIME_TABLE@
+LOC: Config.mimeTablePathname
DOC_START
- A list of ACL elements which, if matched, causes Squid to send
- an extra CRLF pair after the body of a PUT/POST request.
-
- Some HTTP servers has broken implementations of PUT/POST,
- and rely on an extra CRLF pair sent by some WWW clients.
-
- Quote from RFC2616 section 4.1 on this matter:
-
- Note: certain buggy HTTP/1.0 client implementations generate an
- extra CRLF's after a POST request. To restate what is explicitly
- forbidden by the BNF, an HTTP/1.1 client must not preface or follow
- a request with an extra CRLF.
-
-Example:
- acl buggy_server url_regex ^http://....
- broken_posts allow buggy_server
+ Pathname to Squid's MIME table. You shouldn't need to change
+ this, but the default file contains examples and formatting
+ information if you do.
DOC_END
-NAME: via
-IFDEF: HTTP_VIOLATIONS
+NAME: log_mime_hdrs
COMMENT: on|off
TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.via
+LOC: Config.onoff.log_mime_hdrs
+DEFAULT: off
DOC_START
- If set (default), Squid will include a Via header in requests and
- replies as required by RFC2616.
+ The Cache can record both the request and the response MIME
+ headers for each HTTP transaction. The headers are encoded
+ safely and will appear as two bracketed fields at the end of
+ the access log (for either the native or httpd-emulated log
+ formats). To enable this logging set log_mime_hdrs to 'on'.
DOC_END
-NAME: cache_vary
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.cache_vary
+NAME: useragent_log
+TYPE: string
+LOC: Config.Log.useragent
+DEFAULT: none
+IFDEF: USE_USERAGENT_LOG
DOC_START
- Set to off to disable caching of Vary:in objects.
+ Squid will write the User-Agent field from HTTP requests
+ to the filename specified here. By default useragent_log
+ is disabled.
DOC_END
-NAME: broken_vary_encoding
-TYPE: acl_access
+NAME: referer_log referrer_log
+TYPE: string
+LOC: Config.Log.referer
DEFAULT: none
-LOC: Config.accessList.vary_encoding
+IFDEF: USE_REFERER_LOG
DOC_START
- Many servers have broken support for on-the-fly Content-Encoding,
- returning the same ETag on both plain and gzip:ed variants.
- Vary replies matching this access list will have the cache split
- on the Accept-Encoding header of the request and not trusting the
- ETag to be unique.
-
-NOCOMMENT_START
-# Apache mod_gzip and mod_deflate known to be broken so don't trust
-# Apache to signal ETag correctly on such responses
-acl apache rep_header Server ^Apache
-broken_vary_encoding allow apache
-NOCOMMENT_END
+ Squid will write the Referer field from HTTP requests to the
+ filename specified here. By default referer_log is disabled.
+ Note that "referer" is actually a misspelling of "referrer"
+ however the misspelt version has been accepted into the HTTP RFCs
+ and we accept both.
DOC_END
-NAME: collapsed_forwarding
-COMMENT: (on|off)
-TYPE: onoff
-LOC: Config.onoff.collapsed_forwarding
-DEFAULT: off
+NAME: pid_filename
+TYPE: string
+DEFAULT: @DEFAULT_PID_FILE@
+LOC: Config.pidFilename
DOC_START
- This option enables multiple requests for the same URI to be
- processed as one request. Normally disabled to avoid increased
- latency on dynamic content, but there can be benefit from enabling
- this in accelerator setups where the web servers are the bottleneck
- and reliable and returns mostly cacheable information.
+ A filename to write the process-id to. To disable, enter "none".
DOC_END
-NAME: refresh_stale_hit
-COMMENT: (time)
-TYPE: time_t
-DEFAULT: 0 seconds
-LOC: Config.refresh_stale_window
+NAME: debug_options
+TYPE: eol
+DEFAULT: ALL,1
+LOC: Config.debugOptions
DOC_START
- This option changes the refresh algorithm to allow concurrent
- requests while an object is being refreshed to be processed as
- cache hits if the object expired less than X seconds ago. Default
- is 0 to disable this feature. This option is mostly interesting
- in accelerator setups where a few objects is accessed very
- frequently.
+ Logging options are set as section,level where each source file
+ is assigned a unique section. Lower levels result in less
+ output, Full debugging (level 9) can result in a very large
+ log file, so be careful. The magic word "ALL" sets debugging
+ levels for all sections. We recommend normally running with
+ "ALL,1".
DOC_END
-NAME: ie_refresh
+NAME: log_fqdn
COMMENT: on|off
TYPE: onoff
-LOC: Config.onoff.ie_refresh
DEFAULT: off
+LOC: Config.onoff.log_fqdn
DOC_START
- Microsoft Internet Explorer up until version 5.5 Service
- Pack 1 has an issue with transparent proxies, wherein it
- is impossible to force a refresh. Turning this on provides
- a partial fix to the problem, by causing all IMS-REFRESH
- requests from older IE versions to check the origin server
- for fresh content. This reduces hit ratio by some amount
- (~10% in my experience), but allows users to actually get
- fresh content when they want it. Note because Squid
- cannot tell if the user is using 5.5 or 5.5SP1, the behavior
- of 5.5 is unchanged from old versions of Squid (i.e. a
- forced refresh is impossible). Newer versions of IE will,
- hopefully, continue to have the new behavior and will be
- handled based on that assumption. This option defaults to
- the old Squid behavior, which is better for hit ratios but
- worse for clients using IE, if they need to be able to
- force fresh content.
+ Turn this on if you wish to log fully qualified domain names
+ in the access.log. To do this Squid does a DNS lookup of all
+ IP's connecting to it. This can (in some situations) increase
+ latency, which makes your cache seem slower for interactive
+ browsing.
DOC_END
-NAME: vary_ignore_expire
-COMMENT: on|off
-TYPE: onoff
-LOC: Config.onoff.vary_ignore_expire
-DEFAULT: off
+NAME: client_netmask
+TYPE: address
+LOC: Config.Addrs.client_netmask
+DEFAULT: 255.255.255.255
DOC_START
- Many HTTP servers supporting Vary gives such objects
- immediate expiry time with no cache-control header
- when requested by a HTTP/1.0 client. This option
- enables Squid to ignore such expiry times until
- HTTP/1.1 is fully implemented.
- WARNING: This may eventually cause some varying
- objects not intended for caching to get cached.
+ A netmask for client addresses in logfiles and cachemgr output.
+ Change this to protect the privacy of your cache clients.
+ A netmask of 255.255.255.0 will log all IP's in that range with
+ the last digit set to '0'.
DOC_END
-NAME: extension_methods
-TYPE: extension_method
-LOC: RequestMethodStr
+NAME: forward_log
+IFDEF: WIP_FWD_LOG
+TYPE: string
DEFAULT: none
+LOC: Config.Log.forward
DOC_START
- Squid only knows about standardized HTTP request methods.
- You can add up to 20 additional "extension" methods here.
+ Logs the server-side requests.
+
+ This is currently work in progress.
DOC_END
-NAME: request_entities
+NAME: strip_query_terms
TYPE: onoff
-LOC: Config.onoff.request_entities
-DEFAULT: off
+LOC: Config.onoff.strip_query_terms
+DEFAULT: on
DOC_START
- Squid defaults to deny GET and HEAD requests with request entities,
- as the meaning of such requests are undefined in the HTTP standard
- even if not explicitly forbidden.
-
- Set this directive to on if you have clients which insists
- on sending request entities in GET or HEAD requests. But be warned
- that there is server software (both proxies and web servers) which
- can fail to properly process this kind of request which may make you
- vulnerable to cache pollution attacks if enabled.
+ By default, Squid strips query terms from requested URLs before
+ logging. This protects your user's privacy.
DOC_END
-NAME: header_access
-IFDEF: HTTP_VIOLATIONS
-TYPE: http_header_access[]
-LOC: Config.header_access
-DEFAULT: none
+NAME: buffered_logs
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.buffered_logs
DOC_START
- Usage: header_access header_name allow|deny [!]aclname ...
+ cache.log log file is written with stdio functions, and as such
+ it can be buffered or unbuffered. By default it will be unbuffered.
+ Buffering it can speed up the writing slightly (though you are
+ unlikely to need to worry unless you run with tons of debugging
+ enabled in which case performance will suffer badly anyway..).
+DOC_END
- WARNING: Doing this VIOLATES the HTTP standard. Enabling
- this feature could make you liable for problems which it
- causes.
+COMMENT_START
+ OPTIONS FOR FTP GATEWAYING
+ -----------------------------------------------------------------------------
+COMMENT_END
- This option replaces the old 'anonymize_headers' and the
- older 'http_anonymizer' option with something that is much
- more configurable. This new method creates a list of ACLs
- for each header, allowing you very fine-tuned header
- mangling.
+NAME: ftp_user
+TYPE: string
+DEFAULT: Squid@
+LOC: Config.Ftp.anon_user
+DOC_START
+ If you want the anonymous login password to be more informative
+ (and enable the use of picky ftp servers), set this to something
+ reasonable for your domain, like wwwuser@somewhere.net
- You can only specify known headers for the header name.
- Other headers are reclassified as 'Other'. You can also
- refer to all the headers with 'All'.
+ The reason why this is domainless by default is the
+ request can be made on the behalf of a user in any domain,
+ depending on how the cache is used.
+ Some ftp server also validate the email address is valid
+ (for example perl.com).
+DOC_END
- For example, to achieve the same behavior as the old
- 'http_anonymizer standard' option, you should use:
+NAME: ftp_list_width
+TYPE: int
+DEFAULT: 32
+LOC: Config.Ftp.list_width
+DOC_START
+ Sets the width of ftp listings. This should be set to fit in
+ the width of a standard browser. Setting this too small
+ can cut off long filenames when browsing ftp sites.
+DOC_END
- header_access From deny all
- header_access Referer deny all
- header_access Server deny all
- header_access User-Agent deny all
- header_access WWW-Authenticate deny all
- header_access Link deny all
+NAME: ftp_passive
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.passive
+DOC_START
+ If your firewall does not allow Squid to use passive
+ connections, turn off this option.
+DOC_END
- Or, to reproduce the old 'http_anonymizer paranoid' feature
- you should use:
+NAME: ftp_sanitycheck
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.sanitycheck
+DOC_START
+ For security and data integrity reasons Squid by default performs
+ sanity checks of the addresses of FTP data connections ensure the
+ data connection is to the requested server. If you need to allow
+ FTP connections to servers using another IP address for the data
+ connection turn this off.
+DOC_END
- header_access Allow allow all
- header_access Authorization allow all
- header_access WWW-Authenticate allow all
- header_access Proxy-Authorization allow all
- header_access Proxy-Authenticate allow all
- header_access Cache-Control allow all
- header_access Content-Encoding allow all
- header_access Content-Length allow all
- header_access Content-Type allow all
- header_access Date allow all
- header_access Expires allow all
- header_access Host allow all
- header_access If-Modified-Since allow all
- header_access Last-Modified allow all
- header_access Location allow all
- header_access Pragma allow all
- header_access Accept allow all
- header_access Accept-Charset allow all
- header_access Accept-Encoding allow all
- header_access Accept-Language allow all
- header_access Content-Language allow all
- header_access Mime-Version allow all
- header_access Retry-After allow all
- header_access Title allow all
- header_access Connection allow all
- header_access Proxy-Connection allow all
- header_access All deny all
+NAME: ftp_telnet_protocol
+TYPE: onoff
+DEFAULT: on
+LOC: Config.Ftp.telnet
+DOC_START
+ The FTP protocol is officially defined to use the telnet protocol
+ as transport channel for the control connection. However, many
+ implementations are broken and does not respect this aspect of
+ the FTP protocol.
- By default, all headers are allowed (no anonymizing is
- performed).
+ If you have trouble accessing files with ASCII code 255 in the
+ path or similar problems involving this ASCII code you can
+ try setting this directive to off. If that helps, report to the
+ operator of the FTP server in question that their FTP server
+ is broken and does not follow the FTP standard.
DOC_END
-NAME: header_replace
-IFDEF: HTTP_VIOLATIONS
-TYPE: http_header_replace[]
-LOC: Config.header_access
-DEFAULT: none
-DOC_START
- Usage: header_replace header_name message
- Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
+COMMENT_START
+ OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
+ -----------------------------------------------------------------------------
+COMMENT_END
- This option allows you to change the contents of headers
- denied with header_access above, by replacing them with
- some fixed string. This replaces the old fake_user_agent
- option.
+NAME: diskd_program
+TYPE: string
+DEFAULT: @DEFAULT_DISKD@
+LOC: Config.Program.diskd
+DOC_START
+ Specify the location of the diskd executable.
+ Note this is only useful if you have compiled in
+ diskd as one of the store io modules.
+DOC_END
- By default, headers are removed if denied.
+NAME: unlinkd_program
+IFDEF: USE_UNLINKD
+TYPE: string
+DEFAULT: @DEFAULT_UNLINKD@
+LOC: Config.Program.unlinkd
+DOC_START
+ Specify the location of the executable for file deletion process.
DOC_END
-NAME: relaxed_header_parser
-COMMENT: on|off|warn
-TYPE: tristate
-LOC: Config.onoff.relaxed_header_parser
-DEFAULT: on
+NAME: pinger_program
+TYPE: string
+DEFAULT: @DEFAULT_PINGER@
+LOC: Config.Program.pinger
+IFDEF: USE_ICMP
DOC_START
- In the default "on" setting Squid accepts certain forms
- of non-compliant HTTP messages where it is unambiguous
- what the sending application intended even if the message
- is not correctly formatted. The messages is then normalized
- to the correct form when forwarded by Squid.
-
- If set to "warn" then a warning will be emitted in cache.log
- each time such HTTP error is encountered.
-
- If set to "off" then such HTTP errors will cause the request
- or response to be rejected.
+ Specify the location of the executable for the pinger process.
DOC_END
COMMENT_START
- TIMEOUTS
+ OPTIONS FOR URL REWRITING
-----------------------------------------------------------------------------
COMMENT_END
-NAME: forward_timeout
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.Timeout.forward
-DEFAULT: 4 minutes
+NAME: url_rewrite_program redirect_program
+TYPE: programline
+LOC: Config.Program.url_rewrite.command
+DEFAULT: none
DOC_START
- This parameter specifies how long Squid should at most attempt in
- finding a forwarding path for the request before giving up.
+ Specify the location of the executable for the URL rewriter.
+ Since they can perform almost any function there isn't one included.
+
+ For each requested URL rewriter will receive on line with the format
+
+ URL client_ip "/" fqdn user method urlgroup
+
+ And the rewriter may return a rewritten URL. The other components of
+ the request line does not need to be returned (ignored if they are).
+
+ The rewriter can also indicate that a client-side redirect should
+ be performed to the new URL. This is done by prefixing the returned
+ URL with "301:" (moved permanently) or 302: (moved temporarily).
+
+ It can also return a "urlgroup" that can subsequently be matched
+ in cache_peer_access and similar ACL driven rules. An urlgroup is
+ returned by prefixing the returned url with "!urlgroup!"
+
+ By default, a URL rewriter is not used.
DOC_END
-NAME: connect_timeout
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.Timeout.connect
-DEFAULT: 1 minute
+NAME: url_rewrite_children redirect_children
+TYPE: int
+DEFAULT: 5
+LOC: Config.Program.url_rewrite.children
DOC_START
- This parameter specifies how long to wait for the TCP connect to
- the requested server or peer to complete before Squid should
- attempt to find another path where to forward the request.
+ The number of redirector processes to spawn. If you start
+ too few Squid will have to wait for them to process a backlog of
+ URLs, slowing it down. If you start too many they will use RAM
+ and other system resources.
DOC_END
-NAME: peer_connect_timeout
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.Timeout.peer_connect
-DEFAULT: 30 seconds
+NAME: url_rewrite_concurrency redirect_concurrency
+TYPE: int
+DEFAULT: 0
+LOC: Config.Program.url_rewrite.concurrency
DOC_START
- This parameter specifies how long to wait for a pending TCP
- connection to a peer cache. The default is 30 seconds. You
- may also set different timeout values for individual neighbors
- with the 'connect-timeout' option on a 'cache_peer' line.
+ The number of requests each redirector helper can handle in
+ parallel. Defaults to 0 which indicates the redirector
+ is a old-style single threaded redirector.
DOC_END
-NAME: read_timeout
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.Timeout.read
-DEFAULT: 15 minutes
+NAME: url_rewrite_host_header redirect_rewrites_host_header
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.redir_rewrites_host
DOC_START
- The read_timeout is applied on server-side connections. After
- each successful read(), the timeout will be extended by this
- amount. If no data is read again after this amount of time,
- the request is aborted and logged with ERR_READ_TIMEOUT. The
- default is 15 minutes.
+ By default Squid rewrites any Host: header in redirected
+ requests. If you are running an accelerator this may
+ not be a wanted effect of a redirector.
+
+ WARNING: Entries are cached on the result of the URL rewriting
+ process, so be careful if you have domain-virtual hosts.
DOC_END
-NAME: request_timeout
-TYPE: time_t
-LOC: Config.Timeout.request
-DEFAULT: 5 minutes
+NAME: url_rewrite_access redirector_access
+TYPE: acl_access
+DEFAULT: none
+LOC: Config.accessList.url_rewrite
DOC_START
- How long to wait for an HTTP request after initial
- connection establishment.
+ If defined, this access list specifies which requests are
+ sent to the redirector processes. By default all requests
+ are sent.
DOC_END
-NAME: persistent_request_timeout
-TYPE: time_t
-LOC: Config.Timeout.persistent_request
-DEFAULT: 1 minute
+NAME: redirector_bypass
+TYPE: onoff
+LOC: Config.onoff.redirector_bypass
+DEFAULT: off
DOC_START
- How long to wait for the next HTTP request on a persistent
- connection after the previous request completes.
+ When this is 'on', a request will not go through the
+ redirector if all redirectors are busy. If this is 'off'
+ and the redirector queue grows too large, Squid will exit
+ with a FATAL error and ask you to increase the number of
+ redirectors. You should only enable this if the redirectors
+ are not critical to your caching system. If you use
+ redirectors for access control, and you enable this option,
+ users may have access to pages they should not
+ be allowed to request.
DOC_END
-NAME: client_lifetime
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.Timeout.lifetime
-DEFAULT: 1 day
+NAME: location_rewrite_program
+TYPE: programline
+LOC: Config.Program.location_rewrite.command
+DEFAULT: none
DOC_START
- The maximum amount of time a client (browser) is allowed to
- remain connected to the cache process. This protects the Cache
- from having a lot of sockets (and hence file descriptors) tied up
- in a CLOSE_WAIT state from remote clients that go away without
- properly shutting down (either because of a network failure or
- because of a poor client implementation). The default is one
- day, 1440 minutes.
+ Specify the location of the executable for the Location rewriter,
+ used to rewrite server generated redirects. Usually used in
+ conjunction with a url_rewrite_program
- NOTE: The default value is intended to be much larger than any
- client would ever need to be connected to your cache. You
- should probably change client_lifetime only as a last resort.
- If you seem to have many client connections tying up
- filedescriptors, we recommend first tuning the read_timeout,
- request_timeout, persistent_request_timeout and quick_abort values.
+ For each Location header received the location rewriter will receive
+ one line with the format:
+
+ location URL requested URL urlgroup
+
+ And the rewriter may return a rewritten Location URL or a blank line.
+ The other components of the request line does not need to be returned
+ (ignored if they are).
+
+ By default, a Location rewriter is not used.
DOC_END
-NAME: half_closed_clients
-TYPE: onoff
-LOC: Config.onoff.half_closed_clients
-DEFAULT: on
+NAME: location_rewrite_children
+TYPE: int
+DEFAULT: 5
+LOC: Config.Program.location_rewrite.children
DOC_START
- Some clients may shutdown the sending side of their TCP
- connections, while leaving their receiving sides open. Sometimes,
- Squid can not tell the difference between a half-closed and a
- fully-closed TCP connection. By default, half-closed client
- connections are kept open until a read(2) or write(2) on the
- socket returns an error. Change this option to 'off' and Squid
- will immediately close client connections when read(2) returns
- "no more data to read."
+ The number of location rewriting processes to spawn. If you start
+ too few Squid will have to wait for them to process a backlog of
+ URLs, slowing it down. If you start too many they will use RAM
+ and other system resources.
DOC_END
-NAME: pconn_timeout
-TYPE: time_t
-LOC: Config.Timeout.pconn
-DEFAULT: 120 seconds
+NAME: location_rewrite_concurrency
+TYPE: int
+DEFAULT: 0
+LOC: Config.Program.location_rewrite.concurrency
DOC_START
- Timeout for idle persistent connections to servers and other
- proxies.
+ The number of requests each Location rewriter helper can handle in
+ parallel. Defaults to 0 which indicates that the helper
+ is a old-style singlethreaded helper.
DOC_END
-NAME: ident_timeout
-TYPE: time_t
-IFDEF: USE_IDENT
-LOC: Config.Timeout.ident
-DEFAULT: 10 seconds
+NAME: location_rewrite_access
+TYPE: acl_access
+DEFAULT: none
+LOC: Config.accessList.location_rewrite
DOC_START
- Maximum time to wait for IDENT lookups to complete.
-
- If this is too high, and you enabled IDENT lookups from untrusted
- users, you might be susceptible to denial-of-service by having
- many ident requests going at once.
+ If defined, this access list specifies which requests are
+ sent to the location rewriting processes. By default all Location
+ headers are sent.
DOC_END
-NAME: shutdown_lifetime
-COMMENT: time-units
-TYPE: time_t
-LOC: Config.shutdownLifetime
-DEFAULT: 30 seconds
+COMMENT_START
+ OPTIONS FOR TUNING THE CACHE
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: request_header_max_size
+COMMENT: (KB)
+TYPE: b_size_t
+DEFAULT: 20 KB
+LOC: Config.maxRequestHeaderSize
DOC_START
- When SIGTERM or SIGHUP is received, the cache is put into
- "shutdown pending" mode until all active sockets are closed.
- This value is the lifetime to set for all open descriptors
- during shutdown mode. Any active clients after this many
- seconds will receive a 'timeout' message.
+ This specifies the maximum size for HTTP headers in a request.
+ Request headers are usually relatively small (about 512 bytes).
+ Placing a limit on the request header size will catch certain
+ bugs (for example with persistent connections) and possibly
+ buffer-overflow or denial-of-service attacks.
+DOC_END
+
+NAME: request_body_max_size
+COMMENT: (KB)
+TYPE: b_size_t
+DEFAULT: 0 KB
+LOC: Config.maxRequestBodySize
+DOC_START
+ This specifies the maximum size for an HTTP request body.
+ In other words, the maximum size of a PUT/POST request.
+ A user who attempts to send a request with a body larger
+ than this limit receives an "Invalid Request" error message.
+ If you set this parameter to a zero (the default), there will
+ be no limit imposed.
DOC_END
-COMMENT_START
- ACCESS CONTROLS
- -----------------------------------------------------------------------------
-COMMENT_END
-
-NAME: acl
-TYPE: acl
-LOC: Config.aclList
+NAME: refresh_pattern
+TYPE: refreshpattern
+LOC: Config.Refresh
DEFAULT: none
DOC_START
- Defining an Access List
-
- acl aclname acltype string1 ...
- acl aclname acltype "file" ...
-
- when using "file", the file should contain one item per line
-
- acltype is one of the types described below
+ usage: refresh_pattern [-i] regex min percent max [options]
By default, regular expressions are CASE-SENSITIVE. To make
them case-insensitive, use the -i option.
- acl aclname src ip-address/netmask ... (clients IP address)
- acl aclname src addr1-addr2/netmask ... (range of addresses)
- acl aclname dst ip-address/netmask ... (URL host's IP address)
- acl aclname myip ip-address/netmask ... (local socket IP address)
-
- acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
- # The arp ACL requires the special configure option --enable-arp-acl.
- # Furthermore, the arp ACL code is not portable to all operating systems.
- # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
- #
- # NOTE: Squid can only determine the MAC address for clients that are on
- # the same subnet. If the client is on a different subnet, then Squid cannot
- # find out its MAC address.
-
- acl aclname srcdomain .foo.com ... # reverse lookup, client IP
- acl aclname dstdomain .foo.com ... # Destination server from URL
- acl aclname srcdom_regex [-i] xxx ... # regex matching client name
- acl aclname dstdom_regex [-i] xxx ... # regex matching server
- # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
- # based URL is used and no match is found. The name "none" is used
- # if the reverse lookup fails.
-
- acl aclname time [day-abbrevs] [h1:m1-h2:m2]
- day-abbrevs:
- S - Sunday
- M - Monday
- T - Tuesday
- W - Wednesday
- H - Thursday
- F - Friday
- A - Saturday
- h1:m1 must be less than h2:m2
- acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
- acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
- acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
- acl aclname port 80 70 21 ...
- acl aclname port 0-1024 ... # ranges allowed
- acl aclname myport 3128 ... # (local socket TCP port)
- acl aclname proto HTTP FTP ...
- acl aclname method GET POST ...
- acl aclname browser [-i] regexp ...
- # pattern match on User-Agent header (see also req_header below)
- acl aclname referer_regex [-i] regexp ...
- # pattern match on Referer header
- # Referer is highly unreliable, so use with care
- acl aclname ident username ...
- acl aclname ident_regex [-i] pattern ...
- # string match on ident output.
- # use REQUIRED to accept any non-null ident.
- acl aclname src_as number ...
- acl aclname dst_as number ...
- # Except for access control, AS numbers can be used for
- # routing of requests to specific caches. Here's an
- # example for routing all requests for AS#1241 and only
- # those to mycache.mydomain.net:
- # acl asexample dst_as 1241
- # cache_peer_access mycache.mydomain.net allow asexample
- # cache_peer_access mycache_mydomain.net deny all
+ 'Min' is the time (in minutes) an object without an explicit
+ expiry time should be considered fresh. The recommended
+ value is 0, any higher values may cause dynamic applications
+ to be erroneously cached unless the application designer
+ has taken the appropriate actions.
- acl aclname proxy_auth [-i] username ...
- acl aclname proxy_auth_regex [-i] pattern ...
- # list of valid usernames
- # use REQUIRED to accept any valid username.
- #
- # NOTE: when a Proxy-Authentication header is sent but it is not
- # needed during ACL checking the username is NOT logged
- # in access.log.
- #
- # NOTE: proxy_auth requires a EXTERNAL authentication program
- # to check username/password combinations (see
- # auth_param directive).
- #
- # NOTE: proxy_auth can't be used in a transparent proxy as
- # the browser needs to be configured for using a proxy in order
- # to respond to proxy authentication.
+ 'Percent' is a percentage of the objects age (time since last
+ modification age) an object without explicit expiry time
+ will be considered fresh.
- acl aclname snmp_community string ...
- # A community string to limit access to your SNMP Agent
- # Example:
- #
- # acl snmppublic snmp_community public
+ 'Max' is an upper limit on how long objects without an explicit
+ expiry time will be considered fresh.
- acl aclname maxconn number
- # This will be matched when the client's IP address has
- # more than HTTP connections established.
+ options: override-expire
+ override-lastmod
+ reload-into-ims
+ ignore-reload
+ ignore-no-cache
+ ignore-private
+ ignore-auth
- acl aclname max_user_ip [-s] number
- # This will be matched when the user attempts to log in from more
- # than different ip addresses. The authenticate_ip_ttl
- # parameter controls the timeout on the ip entries.
- # If -s is specified the limit is strict, denying browsing
- # from any further IP addresses until the ttl has expired. Without
- # -s Squid will just annoy the user by "randomly" denying requests.
- # (the counter is reset each time the limit is reached and a
- # request is denied)
- # NOTE: in acceleration mode or where there is mesh of child proxies,
- # clients may appear to come from multiple addresses if they are
- # going through proxy farms, so a limit of 1 may cause user problems.
+ override-expire enforces min age even if the server
+ sent a Expires: header. Doing this VIOLATES the HTTP
+ standard. Enabling this feature could make you liable
+ for problems which it causes.
- acl aclname req_mime_type mime-type1 ...
- # regex match against the mime type of the request generated
- # by the client. Can be used to detect file upload or some
- # types HTTP tunneling requests.
- # NOTE: This does NOT match the reply. You cannot use this
- # to match the returned file type.
+ override-lastmod enforces min age even on objects
+ that were modified recently.
- acl aclname req_header header-name [-i] any\.regex\.here
- # regex match against any of the known request headers. May be
- # thought of as a superset of "browser", "referer" and "mime-type"
- # ACLs.
+ reload-into-ims changes client no-cache or ``reload''
+ to If-Modified-Since requests. Doing this VIOLATES the
+ HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
- acl aclname rep_mime_type mime-type1 ...
- # regex match against the mime type of the reply received by
- # squid. Can be used to detect file download or some
- # types HTTP tunneling requests.
- # NOTE: This has no effect in http_access rules. It only has
- # effect in rules that affect the reply data stream such as
- # http_reply_access.
+ ignore-reload ignores a client no-cache or ``reload''
+ header. Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which
+ it causes.
- acl aclname rep_header header-name [-i] any\.regex\.here
- # regex match against any of the known reply headers. May be
- # thought of as a superset of "browser", "referer" and "mime-type"
- # ACLs.
- #
- # Example:
- #
- # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
+ ignore-no-cache ignores any ``Pragma: no-cache'' and
+ ``Cache-control: no-cache'' headers received from a server.
+ The HTTP RFC never allows the use of this (Pragma) header
+ from a server, only a client, though plenty of servers
+ send it anyway.
- acl acl_name external class_name [arguments...]
- # external ACL lookup via a helper class defined by the
- # external_acl_type directive.
+ ignore-private ignores any ``Cache-control: private''
+ headers received from a server. Doing this VIOLATES
+ the HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
- acl urlgroup group1 ...
- # match against the urlgroup as indicated by redirectors
+ ignore-auth caches responses to requests with authorization,
+ as if the originserver had sent ``Cache-control: public''
+ in the response header. Doing this VIOLATES the HTTP standard.
+ Enabling this feature could make you liable for problems which
+ it causes.
- acl aclname user_cert attribute values...
- # match against attributes in a user SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
+ Basically a cached object is:
- acl aclname ca_cert attribute values...
- # match against attributes a users issuing CA SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
+ FRESH if expires < now, else STALE
+ STALE if age > max
+ FRESH if lm-factor < percent, else STALE
+ FRESH if age < min
+ else STALE
- acl aclname ext_user username ...
- acl aclname ext_user_regex [-i] pattern ...
- # string match on username returned by external acl helper
- # use REQUIRED to accept any non-null user name.
+ The refresh_pattern lines are checked in the order listed here.
+ The first entry which matches is used. If none of the entries
+ match the default will be used.
-Examples:
-acl macaddress arp 09:00:2b:23:45:67
-acl myexample dst_as 1241
-acl password proxy_auth REQUIRED
-acl fileupload req_mime_type -i ^multipart/form-data$
-acl javascript rep_mime_type -i ^application/x-javascript$
+ Note, you must uncomment all the default lines if you want
+ to change one. The default setting is only active if none is
+ used.
+Suggested default:
NOCOMMENT_START
-#Recommended minimum configuration:
-acl all src 0.0.0.0/0.0.0.0
-acl manager proto cache_object
-acl localhost src 127.0.0.1/255.255.255.255
-acl to_localhost dst 127.0.0.0/8
-acl SSL_ports port 443
-acl Safe_ports port 80 # http
-acl Safe_ports port 21 # ftp
-acl Safe_ports port 443 # https
-acl Safe_ports port 70 # gopher
-acl Safe_ports port 210 # wais
-acl Safe_ports port 1025-65535 # unregistered ports
-acl Safe_ports port 280 # http-mgmt
-acl Safe_ports port 488 # gss-http
-acl Safe_ports port 591 # filemaker
-acl Safe_ports port 777 # multiling http
-acl CONNECT method CONNECT
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern . 0 20% 4320
NOCOMMENT_END
DOC_END
-NAME: follow_x_forwarded_for
-TYPE: acl_access
-IFDEF: FOLLOW_X_FORWARDED_FOR
-LOC: Config.accessList.followXFF
-DEFAULT: none
-DEFAULT_IF_NONE: deny all
+NAME: quick_abort_min
+COMMENT: (KB)
+TYPE: kb_size_t
+DEFAULT: 16 KB
+LOC: Config.quickAbort.min
+DOC_NONE
+
+NAME: quick_abort_max
+COMMENT: (KB)
+TYPE: kb_size_t
+DEFAULT: 16 KB
+LOC: Config.quickAbort.max
+DOC_NONE
+
+NAME: quick_abort_pct
+COMMENT: (percent)
+TYPE: int
+DEFAULT: 95
+LOC: Config.quickAbort.pct
DOC_START
- Allowing or Denying the X-Forwarded-For header to be followed to
- find the original source of a request.
-
- Requests may pass through a chain of several other proxies
- before reaching us. The X-Forwarded-For header will contain a
- comma-separated list of the IP addresses in the chain, with the
- rightmost address being the most recent.
+ The cache by default continues downloading aborted requests
+ which are almost completed (less than 16 KB remaining). This
+ may be undesirable on slow (e.g. SLIP) links and/or very busy
+ caches. Impatient users may tie up file descriptors and
+ bandwidth by repeatedly requesting and immediately aborting
+ downloads.
- If a request reaches us from a source that is allowed by this
- configuration item, then we consult the X-Forwarded-For header
- to see where that host received the request from. If the
- X-Forwarded-For header contains multiple addresses, and if
- acl_uses_indirect_client is on, then we continue backtracking
- until we reach an address for which we are not allowed to
- follow the X-Forwarded-For header, or until we reach the first
- address in the list. (If acl_uses_indirect_client is off, then
- it's impossible to backtrack through more than one level of
- X-Forwarded-For addresses.)
+ When the user aborts a request, Squid will check the
+ quick_abort values to the amount of data transfered until
+ then.
- The end result of this process is an IP address that we will
- refer to as the indirect client address. This address may
- be treated as the client address for access control, delay
- pools and logging, depending on the acl_uses_indirect_client,
- delay_pool_uses_indirect_client and log_uses_indirect_client
- options.
+ If the transfer has less than 'quick_abort_min' KB remaining,
+ it will finish the retrieval.
- SECURITY CONSIDERATIONS:
+ If the transfer has more than 'quick_abort_max' KB remaining,
+ it will abort the retrieval.
- Any host for which we follow the X-Forwarded-For header
- can place incorrect information in the header, and Squid
- will use the incorrect information as if it were the
- source address of the request. This may enable remote
- hosts to bypass any access control restrictions that are
- based on the client's source addresses.
+ If more than 'quick_abort_pct' of the transfer has completed,
+ it will finish the retrieval.
- For example:
+ If you do not want any retrieval to continue after the client
+ has aborted, set both 'quick_abort_min' and 'quick_abort_max'
+ to '0 KB'.
- acl localhost src 127.0.0.1
- acl my_other_proxy srcdomain .proxy.example.com
- follow_x_forwarded_for allow localhost
- follow_x_forwarded_for allow my_other_proxy
+ If you want retrievals to always continue if they are being
+ cached set 'quick_abort_min' to '-1 KB'.
DOC_END
-NAME: acl_uses_indirect_client
-COMMENT: on|off
-TYPE: onoff
-IFDEF: FOLLOW_X_FORWARDED_FOR
-DEFAULT: on
-LOC: Config.onoff.acl_uses_indirect_client
+NAME: read_ahead_gap
+COMMENT: buffer-size
+TYPE: b_size_t
+LOC: Config.readAheadGap
+DEFAULT: 16 KB
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in acl matching.
+ The amount of data the cache will buffer ahead of what has been
+ sent to the client when retrieving an object from another server.
DOC_END
-NAME: delay_pool_uses_indirect_client
-COMMENT: on|off
-TYPE: onoff
-IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS
-DEFAULT: on
-LOC: Config.onoff.delay_pool_uses_indirect_client
+NAME: negative_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.negativeTtl
+DEFAULT: 5 minutes
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in delay pools.
+ Time-to-Live (TTL) for failed requests. Certain types of
+ failures (such as "connection refused" and "404 Not Found") are
+ negatively-cached for a configurable amount of time. The
+ default is 5 minutes. Note that this is different from
+ negative caching of DNS lookups.
DOC_END
-NAME: log_uses_indirect_client
-COMMENT: on|off
-TYPE: onoff
-IFDEF: FOLLOW_X_FORWARDED_FOR
-DEFAULT: on
-LOC: Config.onoff.log_uses_indirect_client
+NAME: positive_dns_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.positiveDnsTtl
+DEFAULT: 6 hours
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in the access log.
+ Upper limit on how long Squid will cache positive DNS responses.
+ Default is 6 hours (360 minutes). This directive must be set
+ larger than negative_dns_ttl.
DOC_END
-NAME: http_access
-TYPE: acl_access
-LOC: Config.accessList.http
-DEFAULT: none
-DEFAULT_IF_NONE: deny all
+NAME: negative_dns_ttl
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.negativeDnsTtl
+DEFAULT: 1 minute
DOC_START
- Allowing or Denying access based on defined access lists
+ Time-to-Live (TTL) for negative caching of failed DNS lookups.
+ This also sets the lower cache limit on positive lookups.
+ Minimum value is 1 second, and it is not recommendable to go
+ much below 10 seconds.
+DOC_END
- Access to the HTTP port:
- http_access allow|deny [!]aclname ...
+NAME: range_offset_limit
+COMMENT: (bytes)
+TYPE: b_size_t
+LOC: Config.rangeOffsetLimit
+DEFAULT: 0 KB
+DOC_START
+ Sets a upper limit on how far into the the file a Range request
+ may be to cause Squid to prefetch the whole file. If beyond this
+ limit Squid forwards the Range request as it is and the result
+ is NOT cached.
- NOTE on default values:
+ This is to stop a far ahead range request (lets say start at 17MB)
+ from making Squid fetch the whole object up to that point before
+ sending anything to the client.
- If there are no "access" lines present, the default is to deny
- the request.
+ A value of -1 causes Squid to always fetch the object from the
+ beginning so it may cache the result. (2.0 style)
- If none of the "access" lines cause a match, the default is the
- opposite of the last line in the list. If the last line was
- deny, the default is allow. Conversely, if the last line
- is allow, the default will be deny. For these reasons, it is a
- good idea to have an "deny all" or "allow all" entry at the end
- of your access lists to avoid potential confusion.
+ A value of 0 causes Squid to never fetch more than the
+ client requested. (default)
+DOC_END
-NOCOMMENT_START
-#Recommended minimum configuration:
-#
-# Only allow cachemgr access from localhost
-http_access allow manager localhost
-http_access deny manager
-# Deny requests to unknown ports
-http_access deny !Safe_ports
-# Deny CONNECT to other than SSL ports
-http_access deny CONNECT !SSL_ports
-#
-# We strongly recommend the following be uncommented to protect innocent
-# web applications running on the proxy server who think the only
-# one who can access services on "localhost" is a local user
-#http_access deny to_localhost
-#
-# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+NAME: minimum_expiry_time
+COMMENT: (seconds)
+TYPE: time_t
+LOC: Config.minimum_expiry_time
+DEFAULT: 60 seconds
+DOC_START
+ The minimum caching time according to (Expires - Date)
+ Headers Squid honors if the object can't be revalidated
+ defaults to 60 seconds. In reverse proxy enorinments it
+ might be desirable to honor shorter object lifetimes. It
+ is most likely better to make your server return a
+ meaningful Last-Modified header however.
+DOC_END
-# Example rule allowing access from your local networks. Adapt
-# to list your (internal) IP networks from where browsing should
-# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+NAME: store_avg_object_size
+COMMENT: (kbytes)
+TYPE: kb_size_t
+DEFAULT: 13 KB
+LOC: Config.Store.avgObjectSize
+DOC_START
+ Average object size, used to estimate number of objects your
+ cache can hold. The default is 13 KB.
+DOC_END
-# And finally deny all other access to this proxy
-http_access deny all
-NOCOMMENT_END
+NAME: store_objects_per_bucket
+TYPE: int
+DEFAULT: 20
+LOC: Config.Store.objectsPerBucket
+DOC_START
+ Target number of objects per bucket in the store hash table.
+ Lowering this value increases the total number of buckets and
+ also the storage maintenance rate. The default is 20.
DOC_END
-NAME: http_access2
+COMMENT_START
+ HTTP OPTIONS
+ -----------------------------------------------------------------------------
+COMMENT_END
+
+NAME: broken_posts
TYPE: acl_access
-LOC: Config.accessList.http2
DEFAULT: none
+LOC: Config.accessList.brokenPosts
DOC_START
- Allowing or Denying access based on defined access lists
+ A list of ACL elements which, if matched, causes Squid to send
+ an extra CRLF pair after the body of a PUT/POST request.
- Identical to http_access, but runs after redirectors. If not set
- then only http_access is used.
+ Some HTTP servers has broken implementations of PUT/POST,
+ and rely on an extra CRLF pair sent by some WWW clients.
+
+ Quote from RFC2616 section 4.1 on this matter:
+
+ Note: certain buggy HTTP/1.0 client implementations generate an
+ extra CRLF's after a POST request. To restate what is explicitly
+ forbidden by the BNF, an HTTP/1.1 client must not preface or follow
+ a request with an extra CRLF.
+
+Example:
+ acl buggy_server url_regex ^http://....
+ broken_posts allow buggy_server
+DOC_END
+
+NAME: via
+IFDEF: HTTP_VIOLATIONS
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.via
+DOC_START
+ If set (default), Squid will include a Via header in requests and
+ replies as required by RFC2616.
DOC_END
-NAME: http_reply_access
-TYPE: acl_access
-LOC: Config.accessList.reply
-DEFAULT: none
-DEFAULT_IF_NONE: allow all
+NAME: cache_vary
+TYPE: onoff
+DEFAULT: on
+LOC: Config.onoff.cache_vary
DOC_START
- Allow replies to client requests. This is complementary to http_access.
-
- http_reply_access allow|deny [!] aclname ...
-
- NOTE: if there are no access lines present, the default is to allow
- all replies
-
- If none of the access lines cause a match the opposite of the
- last line will apply. Thus it is good practice to end the rules
- with an "allow all" or "deny all" entry.
+ Set to off to disable caching of Vary:in objects.
DOC_END
-NAME: icp_access
+NAME: broken_vary_encoding
TYPE: acl_access
-LOC: Config.accessList.icp
DEFAULT: none
-DEFAULT_IF_NONE: deny all
+LOC: Config.accessList.vary_encoding
DOC_START
- Allowing or Denying access to the ICP port based on defined
- access lists
-
- icp_access allow|deny [!]aclname ...
-
- See http_access for details
+ Many servers have broken support for on-the-fly Content-Encoding,
+ returning the same ETag on both plain and gzip:ed variants.
+ Vary replies matching this access list will have the cache split
+ on the Accept-Encoding header of the request and not trusting the
+ ETag to be unique.
NOCOMMENT_START
-#Allow ICP queries from everyone
-icp_access allow all
+# Apache mod_gzip and mod_deflate known to be broken so don't trust
+# Apache to signal ETag correctly on such responses
+acl apache rep_header Server ^Apache
+broken_vary_encoding allow apache
NOCOMMENT_END
DOC_END
-NAME: htcp_access
-IFDEF: USE_HTCP
-TYPE: acl_access
-LOC: Config.accessList.htcp
-DEFAULT: none
-DEFAULT_IF_NONE: deny all
+NAME: collapsed_forwarding
+COMMENT: (on|off)
+TYPE: onoff
+LOC: Config.onoff.collapsed_forwarding
+DEFAULT: off
DOC_START
- Allowing or Denying access to the HTCP port based on defined
- access lists
-
- htcp_access allow|deny [!]aclname ...
-
- See http_access for details
-
-#Allow HTCP queries from everyone
-htcp_access allow all
+ This option enables multiple requests for the same URI to be
+ processed as one request. Normally disabled to avoid increased
+ latency on dynamic content, but there can be benefit from enabling
+ this in accelerator setups where the web servers are the bottleneck
+ and reliable and returns mostly cacheable information.
DOC_END
-NAME: htcp_clr_access
-IFDEF: USE_HTCP
-TYPE: acl_access
-LOC: Config.accessList.htcp_clr
-DEFAULT: none
-DEFAULT_IF_NONE: deny all
+NAME: refresh_stale_hit
+COMMENT: (time)
+TYPE: time_t
+DEFAULT: 0 seconds
+LOC: Config.refresh_stale_window
DOC_START
- Allowing or Denying access to purge content using HTCP based
- on defined access lists
-
- htcp_clr_access allow|deny [!]aclname ...
+ This option changes the refresh algorithm to allow concurrent
+ requests while an object is being refreshed to be processed as
+ cache hits if the object expired less than X seconds ago. Default
+ is 0 to disable this feature. This option is mostly interesting
+ in accelerator setups where a few objects is accessed very
+ frequently.
+DOC_END
- See http_access for details
+NAME: ie_refresh
+COMMENT: on|off
+TYPE: onoff
+LOC: Config.onoff.ie_refresh
+DEFAULT: off
+DOC_START
+ Microsoft Internet Explorer up until version 5.5 Service
+ Pack 1 has an issue with transparent proxies, wherein it
+ is impossible to force a refresh. Turning this on provides
+ a partial fix to the problem, by causing all IMS-REFRESH
+ requests from older IE versions to check the origin server
+ for fresh content. This reduces hit ratio by some amount
+ (~10% in my experience), but allows users to actually get
+ fresh content when they want it. Note because Squid
+ cannot tell if the user is using 5.5 or 5.5SP1, the behavior
+ of 5.5 is unchanged from old versions of Squid (i.e. a
+ forced refresh is impossible). Newer versions of IE will,
+ hopefully, continue to have the new behavior and will be
+ handled based on that assumption. This option defaults to
+ the old Squid behavior, which is better for hit ratios but
+ worse for clients using IE, if they need to be able to
+ force fresh content.
+DOC_END
-#Allow HTCP CLR requests from trusted peers
-acl htcp_clr_peer src 172.16.1.2
-htcp_clr_access allow htcp_clr_peer
+NAME: vary_ignore_expire
+COMMENT: on|off
+TYPE: onoff
+LOC: Config.onoff.vary_ignore_expire
+DEFAULT: off
+DOC_START
+ Many HTTP servers supporting Vary gives such objects
+ immediate expiry time with no cache-control header
+ when requested by a HTTP/1.0 client. This option
+ enables Squid to ignore such expiry times until
+ HTTP/1.1 is fully implemented.
+ WARNING: This may eventually cause some varying
+ objects not intended for caching to get cached.
DOC_END
-NAME: miss_access
-TYPE: acl_access
-LOC: Config.accessList.miss
+NAME: extension_methods
+TYPE: extension_method
+LOC: RequestMethodStr
DEFAULT: none
DOC_START
- Use to force your neighbors to use you as a sibling instead of
- a parent. For example:
-
- acl localclients src 172.16.0.0/16
- miss_access allow localclients
- miss_access deny !localclients
-
- This means only your local clients are allowed to fetch
- MISSES and all other clients can only fetch HITS.
+ Squid only knows about standardized HTTP request methods.
+ You can add up to 20 additional "extension" methods here.
+DOC_END
- By default, allow all clients who passed the http_access rules
- to fetch MISSES from us.
+NAME: request_entities
+TYPE: onoff
+LOC: Config.onoff.request_entities
+DEFAULT: off
+DOC_START
+ Squid defaults to deny GET and HEAD requests with request entities,
+ as the meaning of such requests are undefined in the HTTP standard
+ even if not explicitly forbidden.
-NOCOMMENT_START
-#Default setting:
-# miss_access allow all
-NOCOMMENT_END
+ Set this directive to on if you have clients which insists
+ on sending request entities in GET or HEAD requests. But be warned
+ that there is server software (both proxies and web servers) which
+ can fail to properly process this kind of request which may make you
+ vulnerable to cache pollution attacks if enabled.
DOC_END
-NAME: cache_peer_access
-TYPE: peer_access
+NAME: header_access
+IFDEF: HTTP_VIOLATIONS
+TYPE: http_header_access[]
+LOC: Config.header_access
DEFAULT: none
-LOC: none
DOC_START
- Similar to 'cache_peer_domain' but provides more flexibility by
- using ACL elements.
+ Usage: header_access header_name allow|deny [!]aclname ...
- cache_peer_access cache-host allow|deny [!]aclname ...
+ WARNING: Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which it
+ causes.
- The syntax is identical to 'http_access' and the other lists of
- ACL elements. See the comments for 'http_access' below, or
- the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
-DOC_END
+ This option replaces the old 'anonymize_headers' and the
+ older 'http_anonymizer' option with something that is much
+ more configurable. This new method creates a list of ACLs
+ for each header, allowing you very fine-tuned header
+ mangling.
-NAME: ident_lookup_access
-TYPE: acl_access
-IFDEF: USE_IDENT
-DEFAULT: none
-DEFAULT_IF_NONE: deny all
-LOC: Config.accessList.identLookup
-DOC_START
- A list of ACL elements which, if matched, cause an ident
- (RFC931) lookup to be performed for this request. For
- example, you might choose to always perform ident lookups
- for your main multi-user Unix boxes, but not for your Macs
- and PCs. By default, ident lookups are not performed for
- any requests.
+ You can only specify known headers for the header name.
+ Other headers are reclassified as 'Other'. You can also
+ refer to all the headers with 'All'.
- To enable ident lookups for specific client addresses, you
- can follow this example:
+ For example, to achieve the same behavior as the old
+ 'http_anonymizer standard' option, you should use:
- acl ident_aware_hosts src 198.168.1.0/255.255.255.0
- ident_lookup_access allow ident_aware_hosts
- ident_lookup_access deny all
+ header_access From deny all
+ header_access Referer deny all
+ header_access Server deny all
+ header_access User-Agent deny all
+ header_access WWW-Authenticate deny all
+ header_access Link deny all
- Only src type ACL checks are fully supported. A src_domain
- ACL might work at times, but it will not always provide
- the correct result.
+ Or, to reproduce the old 'http_anonymizer paranoid' feature
+ you should use:
+
+ header_access Allow allow all
+ header_access Authorization allow all
+ header_access WWW-Authenticate allow all
+ header_access Proxy-Authorization allow all
+ header_access Proxy-Authenticate allow all
+ header_access Cache-Control allow all
+ header_access Content-Encoding allow all
+ header_access Content-Length allow all
+ header_access Content-Type allow all
+ header_access Date allow all
+ header_access Expires allow all
+ header_access Host allow all
+ header_access If-Modified-Since allow all
+ header_access Last-Modified allow all
+ header_access Location allow all
+ header_access Pragma allow all
+ header_access Accept allow all
+ header_access Accept-Charset allow all
+ header_access Accept-Encoding allow all
+ header_access Accept-Language allow all
+ header_access Content-Language allow all
+ header_access Mime-Version allow all
+ header_access Retry-After allow all
+ header_access Title allow all
+ header_access Connection allow all
+ header_access Proxy-Connection allow all
+ header_access All deny all
+
+ By default, all headers are allowed (no anonymizing is
+ performed).
DOC_END
-NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
-TYPE: acl_tos
+NAME: header_replace
+IFDEF: HTTP_VIOLATIONS
+TYPE: http_header_replace[]
+LOC: Config.header_access
DEFAULT: none
-LOC: Config.accessList.outgoing_tos
DOC_START
- Allows you to select a TOS/Diffserv value to mark outgoing
- connections with, based on the username or source address
- making the request.
+ Usage: header_replace header_name message
+ Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
- tcp_outgoing_tos ds-field [!]aclname ...
+ This option allows you to change the contents of headers
+ denied with header_access above, by replacing them with
+ some fixed string. This replaces the old fake_user_agent
+ option.
- Example where normal_service_net uses the TOS value 0x00
- and normal_service_net uses 0x20
+ By default, headers are removed if denied.
+DOC_END
- acl normal_service_net src 10.0.0.0/255.255.255.0
- acl good_service_net src 10.0.1.0/255.255.255.0
- tcp_outgoing_tos 0x00 normal_service_net 0x00
- tcp_outgoing_tos 0x20 good_service_net
+NAME: relaxed_header_parser
+COMMENT: on|off|warn
+TYPE: tristate
+LOC: Config.onoff.relaxed_header_parser
+DEFAULT: on
+DOC_START
+ In the default "on" setting Squid accepts certain forms
+ of non-compliant HTTP messages where it is unambiguous
+ what the sending application intended even if the message
+ is not correctly formatted. The messages is then normalized
+ to the correct form when forwarded by Squid.
- TOS/DSCP values really only have local significance - so you should
- know what you're specifying. For more information, see RFC2474 and
- RFC3260.
+ If set to "warn" then a warning will be emitted in cache.log
+ each time such HTTP error is encountered.
- The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
- "default" to use whatever default your host has. Note that in
- practice often only values 0 - 63 is usable as the two highest bits
- have been redefined for use by ECN (RFC3168).
+ If set to "off" then such HTTP errors will cause the request
+ or response to be rejected.
+DOC_END
- Processing proceeds in the order specified, and stops at first fully
- matching line.
+COMMENT_START
+ TIMEOUTS
+ -----------------------------------------------------------------------------
+COMMENT_END
- Note: The use of this directive using client dependent ACLs is
- incompatible with the use of server side persistent connections. To
- ensure correct results it is best to set server_persisten_connections
- to off when using this directive in such configurations.
+NAME: forward_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.forward
+DEFAULT: 4 minutes
+DOC_START
+ This parameter specifies how long Squid should at most attempt in
+ finding a forwarding path for the request before giving up.
DOC_END
-NAME: tcp_outgoing_address
-TYPE: acl_address
-DEFAULT: none
-LOC: Config.accessList.outgoing_address
+NAME: connect_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.connect
+DEFAULT: 1 minute
DOC_START
- Allows you to map requests to different outgoing IP addresses
- based on the username or source address of the user making
- the request.
+ This parameter specifies how long to wait for the TCP connect to
+ the requested server or peer to complete before Squid should
+ attempt to find another path where to forward the request.
+DOC_END
- tcp_outgoing_address ipaddr [[!]aclname] ...
+NAME: peer_connect_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.peer_connect
+DEFAULT: 30 seconds
+DOC_START
+ This parameter specifies how long to wait for a pending TCP
+ connection to a peer cache. The default is 30 seconds. You
+ may also set different timeout values for individual neighbors
+ with the 'connect-timeout' option on a 'cache_peer' line.
+DOC_END
- Example where requests from 10.0.0.0/24 will be forwarded
- with source address 10.1.0.1, 10.0.2.0/24 forwarded with
- source address 10.1.0.2 and the rest will be forwarded with
- source address 10.1.0.3.
+NAME: read_timeout
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.read
+DEFAULT: 15 minutes
+DOC_START
+ The read_timeout is applied on server-side connections. After
+ each successful read(), the timeout will be extended by this
+ amount. If no data is read again after this amount of time,
+ the request is aborted and logged with ERR_READ_TIMEOUT. The
+ default is 15 minutes.
+DOC_END
- acl normal_service_net src 10.0.0.0/255.255.255.0
- acl good_service_net src 10.0.1.0/255.255.255.0
- tcp_outgoing_address 10.0.0.1 normal_service_net
- tcp_outgoing_address 10.0.0.2 good_service_net
- tcp_outgoing_address 10.0.0.3
+NAME: request_timeout
+TYPE: time_t
+LOC: Config.Timeout.request
+DEFAULT: 5 minutes
+DOC_START
+ How long to wait for an HTTP request after initial
+ connection establishment.
+DOC_END
- Processing proceeds in the order specified, and stops at first fully
- matching line.
+NAME: persistent_request_timeout
+TYPE: time_t
+LOC: Config.Timeout.persistent_request
+DEFAULT: 2 minutes
+DOC_START
+ How long to wait for the next HTTP request on a persistent
+ connection after the previous request completes.
+DOC_END
- Note: The use of this directive using client dependent ACLs is
- incompatible with the use of server side persistent connections. To
- ensure correct results it is best to set server_persistent_connections
- to off when using this directive in such configurations.
+NAME: client_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.Timeout.lifetime
+DEFAULT: 1 day
+DOC_START
+ The maximum amount of time a client (browser) is allowed to
+ remain connected to the cache process. This protects the Cache
+ from having a lot of sockets (and hence file descriptors) tied up
+ in a CLOSE_WAIT state from remote clients that go away without
+ properly shutting down (either because of a network failure or
+ because of a poor client implementation). The default is one
+ day, 1440 minutes.
+
+ NOTE: The default value is intended to be much larger than any
+ client would ever need to be connected to your cache. You
+ should probably change client_lifetime only as a last resort.
+ If you seem to have many client connections tying up
+ filedescriptors, we recommend first tuning the read_timeout,
+ request_timeout, persistent_request_timeout and quick_abort values.
DOC_END
-NAME: reply_header_max_size
-COMMENT: (KB)
-TYPE: b_size_t
-DEFAULT: 20 KB
-LOC: Config.maxReplyHeaderSize
+NAME: half_closed_clients
+TYPE: onoff
+LOC: Config.onoff.half_closed_clients
+DEFAULT: on
DOC_START
- This specifies the maximum size for HTTP headers in a reply.
- Reply headers are usually relatively small (about 512 bytes).
- Placing a limit on the reply header size will catch certain
- bugs (for example with persistent connections) and possibly
- buffer-overflow or denial-of-service attacks.
+ Some clients may shutdown the sending side of their TCP
+ connections, while leaving their receiving sides open. Sometimes,
+ Squid can not tell the difference between a half-closed and a
+ fully-closed TCP connection. By default, half-closed client
+ connections are kept open until a read(2) or write(2) on the
+ socket returns an error. Change this option to 'off' and Squid
+ will immediately close client connections when read(2) returns
+ "no more data to read."
DOC_END
-NAME: reply_body_max_size
-COMMENT: bytes allow|deny acl acl...
-TYPE: body_size_t
-DEFAULT: none
-DEFAULT_IF_NONE: 0 allow all
-LOC: Config.ReplyBodySize
+NAME: pconn_timeout
+TYPE: time_t
+LOC: Config.Timeout.pconn
+DEFAULT: 1 minute
DOC_START
- This option specifies the maximum size of a reply body in bytes.
- It can be used to prevent users from downloading very large files,
- such as MP3's and movies. When the reply headers are received,
- the reply_body_max_size lines are processed, and the first line with
- a result of "allow" is used as the maximum body size for this reply.
- This size is checked twice. First when we get the reply headers,
- we check the content-length value. If the content length value exists
- and is larger than the allowed size, the request is denied and the
- user receives an error message that says "the request or reply
- is too large." If there is no content-length, and the reply
- size exceeds this limit, the client's connection is just closed
- and they will receive a partial reply.
+ Timeout for idle persistent connections to servers and other
+ proxies.
+DOC_END
- WARNING: downstream caches probably can not detect a partial reply
- if there is no content-length header, so they will cache
- partial responses and give them out as hits. You should NOT
- use this option if you have downstream caches.
+NAME: ident_timeout
+TYPE: time_t
+IFDEF: USE_IDENT
+LOC: Config.Timeout.ident
+DEFAULT: 10 seconds
+DOC_START
+ Maximum time to wait for IDENT lookups to complete.
- If you set this parameter to zero (the default), there will be
- no limit imposed.
+ If this is too high, and you enabled IDENT lookups from untrusted
+ users, you might be susceptible to denial-of-service by having
+ many ident requests going at once.
DOC_END
-NAME: log_access
-TYPE: acl_access
-LOC: Config.accessList.log
-DEFAULT: none
-COMMENT: allow|deny acl acl...
+NAME: shutdown_lifetime
+COMMENT: time-units
+TYPE: time_t
+LOC: Config.shutdownLifetime
+DEFAULT: 30 seconds
DOC_START
- This options allows you to control which requests gets logged
- to access.log (see access_log directive). Requests denied for
- logging will also not be accounted for in performance counters.
+ When SIGTERM or SIGHUP is received, the cache is put into
+ "shutdown pending" mode until all active sockets are closed.
+ This value is the lifetime to set for all open descriptors
+ during shutdown mode. Any active clients after this many
+ seconds will receive a 'timeout' message.
DOC_END
COMMENT_START
@@ -5092,22 +5114,6 @@
# Leave coredumps in the first cache dir
coredump_dir @DEFAULT_SWAP_DIR@
NOCOMMENT_END
-DOC_END
-
-NAME: redirector_bypass
-TYPE: onoff
-LOC: Config.onoff.redirector_bypass
-DEFAULT: off
-DOC_START
- When this is 'on', a request will not go through the
- redirector if all redirectors are busy. If this is 'off'
- and the redirector queue grows too large, Squid will exit
- with a FATAL error and ask you to increase the number of
- redirectors. You should only enable this if the redirectors
- are not critical to your caching system. If you use
- redirectors for access control, and you enable this option,
- users may have access to pages they should not
- be allowed to request.
DOC_END
NAME: chroot
diff -ruN squid-2.6.STABLE15/src/cf_gen.c squid-2.6.STABLE16/src/cf_gen.c
--- squid-2.6.STABLE15/src/cf_gen.c Mon May 22 12:55:23 2006
+++ squid-2.6.STABLE16/src/cf_gen.c Wed Sep 5 15:50:15 2007
@@ -1,6 +1,6 @@
/*
- * $Id: cf_gen.c,v 1.50 2006/05/22 18:55:23 serassio Exp $
+ * $Id: cf_gen.c,v 1.50.2.1 2007/09/05 21:50:15 hno Exp $
*
* DEBUG: none Generate squid.conf.default and cf_parser.h
* AUTHOR: Max Okumoto
@@ -54,6 +54,7 @@
#define MAX_LINE 1024 /* longest configuration line */
#define _PATH_PARSER "cf_parser.h"
#define _PATH_SQUID_CONF "squid.conf.default"
+#define _PATH_CF_DEPEND "cf.data.depend"
enum State {
sSTART,
@@ -88,8 +89,20 @@
struct Entry *next;
} Entry;
+typedef struct TypeDep {
+ char *name;
+
+ struct TypeDep *next;
+} TypeDep;
+
+typedef struct Type {
+ char *name;
+ TypeDep *depend;
+
+ struct Type *next;
+} Type;
-static const char WS[] = " \t";
+static const char WS[] = " \t\n";
static int gen_default(Entry *, FILE *);
static void gen_parse(Entry *, FILE *);
static void gen_dump(Entry *, FILE *);
@@ -106,6 +119,31 @@
(*L)->data = xstrdup(str);
}
+static void
+checkDepend(const char *directive, const char *name, const Type * types, const Entry * entries)
+{
+ const Type *type;
+ for (type = types; type; type = type->next) {
+ const TypeDep *dep;
+ if (strcmp(type->name, name) != 0)
+ continue;
+ for (dep = type->depend; dep; dep = dep->next) {
+ const Entry *entry;
+ for (entry = entries; entry; entry = entry->next) {
+ if (strcmp(entry->name, dep->name) == 0)
+ break;
+ }
+ if (!entry) {
+ fprintf(stderr, "ERROR: '%s' (%s) depends on '%s'\n", directive, name, dep->name);
+ exit(1);
+ }
+ }
+ return;
+ }
+ fprintf(stderr, "ERROR: Dependencies for cf.data type '%s' used in '%s' not defined\n", name, directive);
+ exit(1);
+}
+
int
main(int argc, char *argv[])
{
@@ -113,9 +151,11 @@
char *input_filename = argv[1];
const char *output_filename = _PATH_PARSER;
const char *conf_filename = _PATH_SQUID_CONF;
+ const char *type_depend = argv[2];
int linenum = 0;
Entry *entries = NULL;
Entry *curr = NULL;
+ Type *types = NULL;
enum State state;
int rc = 0;
char *ptr = NULL;
@@ -124,6 +164,33 @@
#else
const char *rmode = "r";
#endif
+ char buff[MAX_LINE];
+
+
+ /*-------------------------------------------------------------------*
+ * Parse type dependencies
+ *-------------------------------------------------------------------*/
+ if ((fp = fopen(type_depend, rmode)) == NULL) {
+ perror(input_filename);
+ exit(1);
+ }
+ while ((NULL != fgets(buff, MAX_LINE, fp))) {
+ const char *type = strtok(buff, WS);
+ const char *dep;
+ if (!type || type[0] == '#')
+ continue;
+ Type *t = (Type *) xcalloc(1, sizeof(*t));
+ t->name = xstrdup(type);
+ while ((dep = strtok(NULL, WS)) != NULL) {
+ TypeDep *d = (TypeDep *) xcalloc(1, sizeof(*dep));
+ d->name = xstrdup(dep);
+ d->next = t->depend;
+ t->depend = d;
+ }
+ t->next = types;
+ types = t;
+ }
+ fclose(fp);
/*-------------------------------------------------------------------*
* Parse input file
@@ -139,7 +206,6 @@
#endif
state = sSTART;
while (feof(fp) == 0 && state != sEXIT) {
- char buff[MAX_LINE];
char *t;
if (NULL == fgets(buff, MAX_LINE, fp))
break;
@@ -215,6 +281,7 @@
curr->array_flag = 1;
*(ptr + strlen(ptr) - 2) = '\0';
}
+ checkDepend(curr->name, ptr, types, entries);
curr->type = xstrdup(ptr);
} else if (!strncmp(buff, "IFDEF:", 6)) {
if ((ptr = strtok(buff + 6, WS)) == NULL) {
diff -ruN squid-2.6.STABLE15/src/client_side.c squid-2.6.STABLE16/src/client_side.c
--- squid-2.6.STABLE15/src/client_side.c Fri Aug 31 07:48:23 2007
+++ squid-2.6.STABLE16/src/client_side.c Mon Sep 3 07:13:36 2007
@@ -1,6 +1,6 @@
/*
- * $Id: client_side.c,v 1.693.2.18 2007/08/31 13:48:23 hno Exp $
+ * $Id: client_side.c,v 1.693.2.20 2007/09/03 13:13:36 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
@@ -1911,19 +1911,19 @@
* the objects age, so a Age: 0 header does not add any useful
* information to the reply in any case.
*/
- if (NULL == http->entry)
- (void) 0;
- else if (http->entry->timestamp < 0)
- (void) 0;
- if (EBIT_TEST(http->entry->flags, ENTRY_SPECIAL)) {
- httpHeaderDelById(hdr, HDR_DATE);
- httpHeaderInsertTime(hdr, 0, HDR_DATE, squid_curtime);
- } else if (http->entry->timestamp < squid_curtime)
- httpHeaderPutInt(hdr, HDR_AGE,
- squid_curtime - http->entry->timestamp);
- if (!httpHeaderHas(hdr, HDR_CONTENT_LENGTH) && http->entry->mem_obj && http->entry->store_status == STORE_OK) {
- rep->content_length = contentLen(http->entry);
- httpHeaderPutSize(hdr, HDR_CONTENT_LENGTH, rep->content_length);
+ if (http->entry) {
+ if (EBIT_TEST(http->entry->flags, ENTRY_SPECIAL)) {
+ httpHeaderDelById(hdr, HDR_DATE);
+ httpHeaderInsertTime(hdr, 0, HDR_DATE, squid_curtime);
+ } else if (http->entry->timestamp < 0) {
+ (void) 0;
+ } else if (http->entry->timestamp < squid_curtime)
+ httpHeaderPutInt(hdr, HDR_AGE,
+ squid_curtime - http->entry->timestamp);
+ if (!httpHeaderHas(hdr, HDR_CONTENT_LENGTH) && http->entry->mem_obj && http->entry->store_status == STORE_OK) {
+ rep->content_length = contentLen(http->entry);
+ httpHeaderPutSize(hdr, HDR_CONTENT_LENGTH, rep->content_length);
+ }
}
}
/* Filter unproxyable authentication types */
@@ -4172,7 +4172,6 @@
assert(conn->body.size_left > 0);
assert(conn->in.offset > 0);
assert(callback != NULL);
- assert(buf != NULL || !conn->body.request);
/* How much do we have to process? */
size = conn->in.offset;
if (size > conn->body.size_left) /* only process the body part */
@@ -4210,10 +4209,8 @@
/* Invoke callback function */
if (valid)
callback(buf, size, cbdata);
- if (request != NULL) {
+ if (request != NULL)
requestUnlink(request); /* Linked in clientReadBody */
- conn->body.request = NULL;
- }
debug(33, 2) ("clientProcessBody: end fd=%d size=%d body_size=%lu in.offset=%ld cb=%p req=%p\n", conn->fd, size, (unsigned long int) conn->body.size_left, (long int) conn->in.offset, callback, request);
}
}
diff -ruN squid-2.6.STABLE15/src/forward.c squid-2.6.STABLE16/src/forward.c
--- squid-2.6.STABLE15/src/forward.c Tue Apr 17 03:35:17 2007
+++ squid-2.6.STABLE16/src/forward.c Wed Sep 5 15:28:34 2007
@@ -1,6 +1,6 @@
/*
- * $Id: forward.c,v 1.120.2.3 2007/04/17 09:35:17 hno Exp $
+ * $Id: forward.c,v 1.120.2.4 2007/09/05 21:28:34 hno Exp $
*
* DEBUG: section 17 Request Forwarding
* AUTHOR: Duane Wessels
@@ -793,6 +793,7 @@
fwdState->server_fd = -1;
fwdState->request = requestLink(r);
fwdState->start = squid_curtime;
+ fwdState->orig_entry_flags = e->flags;
storeLockObject(e);
if (!fwdState->request->flags.pinned)
EBIT_SET(e->flags, ENTRY_FWD_HDR_WAIT);
@@ -867,6 +868,7 @@
fwdState->server_fd = -1;
fwdState->request = requestLink(r);
fwdState->start = squid_curtime;
+ fwdState->orig_entry_flags = e->flags;
#if LINUX_TPROXY
/* If we need to transparently proxy the request
@@ -1015,6 +1017,24 @@
if (fwdState->server_fd > -1)
fwdUnregister(fwdState->server_fd, fwdState);
storeEntryReset(e);
+ /* HACK WARNING: This fiddling with the flags really
+ * should be done in the store layer, but current
+ * design does not allow it to be done proper in a
+ * sane manner.
+ * A sign that we have pushed the design of everything
+ * going via a single StoreEntry per request a bit too far.
+ */
+ if (EBIT_TEST(e->flags, ENTRY_NEGCACHED)) {
+ storeSetPrivateKey(e);
+ EBIT_CLR(e->flags, ENTRY_NEGCACHED);
+ EBIT_CLR(e->flags, KEY_EARLY_PUBLIC);
+ }
+ if (EBIT_TEST(e->flags, RELEASE_REQUEST)) {
+ EBIT_CLR(e->flags, RELEASE_REQUEST);
+ EBIT_CLR(e->flags, KEY_EARLY_PUBLIC);
+ }
+ if (EBIT_TEST(fwdState->orig_entry_flags, ENTRY_CACHABLE))
+ EBIT_SET(e->flags, ENTRY_CACHABLE);
fwdStartComplete(fwdState->servers, fwdState);
} else {
debug(17, 3) ("fwdComplete: not re-forwarding status %d\n",
diff -ruN squid-2.6.STABLE15/src/peer_monitor.c squid-2.6.STABLE16/src/peer_monitor.c
--- squid-2.6.STABLE15/src/peer_monitor.c Tue Jan 9 03:24:41 2007
+++ squid-2.6.STABLE16/src/peer_monitor.c Wed Sep 5 15:27:59 2007
@@ -1,6 +1,6 @@
/*
- * $Id: peer_monitor.c,v 1.3 2007/01/09 10:24:41 hno Exp $
+ * $Id: peer_monitor.c,v 1.3.2.1 2007/09/05 21:27:59 hno Exp $
*
* DEBUG: section ?? Peer monitoring
* AUTHOR: Henrik Nordstrom
@@ -50,6 +50,7 @@
int hdr_size;
int offset;
char *buf;
+ int timeout_set;
} running;
char name[40];
};
@@ -123,6 +124,18 @@
}
static void
+peerMonitorTimeout(void *data)
+{
+ PeerMonitor *pm = data;
+ store_client *sc = pm->running.sc;
+ pm->running.status = HTTP_REQUEST_TIMEOUT;
+ pm->running.sc = NULL;
+ pm->running.timeout_set = 0;
+ /* This will invoke peerMonitorFetchReplyHeaders which finishes things up */
+ storeClientUnregister(sc, pm->running.e, pm);
+}
+
+static void
peerMonitorRequest(void *data)
{
PeerMonitor *pm = data;
@@ -145,6 +158,8 @@
return;
}
pm->last_probe = squid_curtime;
+ pm->running.timeout_set = 1;
+ eventAdd(pm->name, peerMonitorTimeout, pm, (double) (pm->peer->monitor.timeout ? pm->peer->monitor.timeout : pm->peer->monitor.interval), 0);
httpHeaderPutStr(&req->header, HDR_ACCEPT, "*/*");
httpHeaderPutStr(&req->header, HDR_USER_AGENT, full_appname_string);
@@ -168,6 +183,10 @@
storeUnlockObject(pm->running.e);
requestUnlink(pm->running.req);
memFree(pm->running.buf, MEM_4K_BUF);
+ if (pm->running.timeout_set) {
+ eventDelete(peerMonitorTimeout, pm);
+ pm->running.timeout_set = 0;
+ }
if (!cbdataValid(pm->peer)) {
cbdataFree(pm);
return;
diff -ruN squid-2.6.STABLE15/src/store_rebuild.c squid-2.6.STABLE16/src/store_rebuild.c
--- squid-2.6.STABLE15/src/store_rebuild.c Tue Jul 4 15:45:24 2006
+++ squid-2.6.STABLE16/src/store_rebuild.c Sat Sep 1 17:21:06 2007
@@ -1,6 +1,6 @@
/*
- * $Id: store_rebuild.c,v 1.79 2006/07/04 21:45:24 hno Exp $
+ * $Id: store_rebuild.c,v 1.79.2.1 2007/09/01 23:21:06 hno Exp $
*
* DEBUG: section 20 Store Rebuild Routines
* AUTHOR: Duane Wessels
@@ -102,6 +102,9 @@
* otherwise, set it in the validation procedure
*/
storeDirUpdateSwapSize(&Config.cacheSwap.swapDirs[e->swap_dirn], e->swap_file_sz, 1);
+ /* Get rid of private objects. Not useful */
+ if (EBIT_TEST(e->flags, KEY_PRIVATE))
+ storeRelease(e);
if ((++validnum & 0x3FFFF) == 0)
debug(20, 1) (" %7d Entries Validated so far.\n", validnum);
}
diff -ruN squid-2.6.STABLE15/src/structs.h squid-2.6.STABLE16/src/structs.h
--- squid-2.6.STABLE15/src/structs.h Sun Jul 15 03:52:18 2007
+++ squid-2.6.STABLE16/src/structs.h Wed Sep 5 15:28:34 2007
@@ -1,6 +1,6 @@
/*
- * $Id: structs.h,v 1.507.2.7 2007/07/15 09:52:18 hno Exp $
+ * $Id: structs.h,v 1.507.2.8 2007/09/05 21:28:34 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -2252,6 +2252,7 @@
#if LINUX_NETFILTER
struct sockaddr_in src;
#endif
+ u_short orig_entry_flags; /* Hack to be able to reset the entry proper */
};
#if USE_HTCP
diff -ruN squid-2.6.STABLE15/src/tools.c squid-2.6.STABLE16/src/tools.c
--- squid-2.6.STABLE15/src/tools.c Fri Aug 31 07:44:00 2007
+++ squid-2.6.STABLE16/src/tools.c Sat Sep 1 14:09:50 2007
@@ -1,6 +1,6 @@
/*
- * $Id: tools.c,v 1.250.2.2 2007/08/31 13:44:00 hno Exp $
+ * $Id: tools.c,v 1.250.2.3 2007/09/01 20:09:50 hno Exp $
*
* DEBUG: section 21 Misc Functions
* AUTHOR: Harvest Derived
@@ -41,6 +41,7 @@
#include "squid.h"
#ifdef _SQUID_LINUX_
+#if HAVE_SYS_CAPABILITY_H
#undef _POSIX_SOURCE
/* Ugly glue to get around linux header madness colliding with glibc */
#define _LINUX_TYPES_H
@@ -48,6 +49,7 @@
typedef uint32_t __u32;
#include
#endif
+#endif
#if HAVE_SYS_PRCTL_H
#include
@@ -1319,7 +1321,7 @@
void
keepCapabilities(void)
{
-#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS)
+#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
/* Silent failure unless TPROXY is required. Maybe not started as root */
#if LINUX_TPROXY
@@ -1334,7 +1336,7 @@
static void
restoreCapabilities(int keep)
{
-#ifdef _SQUID_LINUX_
+#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t));
cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
@@ -1368,5 +1370,11 @@
nocap:
xfree(head);
xfree(cap);
+#else
+#if LINUX_TPROXY
+ if (need_linux_tproxy)
+ debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n");
+ need_linux_tproxy = 0;
+#endif
#endif
}