From b89d3342a25500fcc57d8b6f3c80539983125c17 Mon Sep 17 00:00:00 2001 From: Mattia Rizzolo Date: Fri, 11 Aug 2017 17:43:08 +0200 Subject: hosts/(pb*|cs*)/squid.conf: update to the version from squid 2.5.34 note that they are slightly differnt than the file in pb7 --- profitbricks-build7-amd64/etc/squid/squid.conf 2017-08-11 16:55:24.241686336 +0200 +++ profitbricks-build2-i386/etc/squid/squid.conf 2017-08-11 17:27:46.597522357 +0200 @@ -3444,7 +3444,7 @@ # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 16384 16 1024 +cache_dir ufs /var/spool/squid 4096 16 1024 # TAG: store_dir_select_algorithm # How Squid selects which cache_dir to use when the response Signed-off-by: Mattia Rizzolo --- hosts/codethink-sled10-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled11-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled12-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled13-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled14-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled15-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled16-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ hosts/codethink-sled9-arm64/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build1-amd64/etc/squid/squid.conf | 4693 +++++++++++++------ .../etc/squid/squid.conf | 4693 +++++++++++++------ .../etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build12-i386/etc/squid/squid.conf | 4693 +++++++++++++------ .../etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build16-i386/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build2-i386/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build3-amd64/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build4-amd64/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build5-amd64/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build6-i386/etc/squid/squid.conf | 4693 +++++++++++++------ .../profitbricks-build9-amd64/etc/squid/squid.conf | 4697 ++++++++++++++------ 20 files changed, 68722 insertions(+), 25142 deletions(-) (limited to 'hosts') diff --git a/hosts/codethink-sled10-arm64/etc/squid/squid.conf b/hosts/codethink-sled10-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled10-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled10-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled11-arm64/etc/squid/squid.conf b/hosts/codethink-sled11-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled11-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled11-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled12-arm64/etc/squid/squid.conf b/hosts/codethink-sled12-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled12-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled12-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled13-arm64/etc/squid/squid.conf b/hosts/codethink-sled13-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled13-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled13-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled14-arm64/etc/squid/squid.conf b/hosts/codethink-sled14-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled14-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled14-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled15-arm64/etc/squid/squid.conf b/hosts/codethink-sled15-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled15-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled15-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled16-arm64/etc/squid/squid.conf b/hosts/codethink-sled16-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled16-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled16-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/codethink-sled9-arm64/etc/squid/squid.conf b/hosts/codethink-sled9-arm64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/codethink-sled9-arm64/etc/squid/squid.conf +++ b/hosts/codethink-sled9-arm64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build1-amd64/etc/squid/squid.conf b/hosts/profitbricks-build1-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build1-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build1-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build10-amd64/etc/squid/squid.conf b/hosts/profitbricks-build10-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build10-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build10-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build11-amd64/etc/squid/squid.conf b/hosts/profitbricks-build11-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build11-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build11-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build12-i386/etc/squid/squid.conf b/hosts/profitbricks-build12-i386/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build12-i386/etc/squid/squid.conf +++ b/hosts/profitbricks-build12-i386/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build15-amd64/etc/squid/squid.conf b/hosts/profitbricks-build15-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build15-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build15-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build16-i386/etc/squid/squid.conf b/hosts/profitbricks-build16-i386/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build16-i386/etc/squid/squid.conf +++ b/hosts/profitbricks-build16-i386/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build2-i386/etc/squid/squid.conf b/hosts/profitbricks-build2-i386/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build2-i386/etc/squid/squid.conf +++ b/hosts/profitbricks-build2-i386/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build3-amd64/etc/squid/squid.conf b/hosts/profitbricks-build3-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build3-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build3-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build4-amd64/etc/squid/squid.conf b/hosts/profitbricks-build4-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build4-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build4-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build5-amd64/etc/squid/squid.conf b/hosts/profitbricks-build5-amd64/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build5-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build5-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build6-i386/etc/squid/squid.conf b/hosts/profitbricks-build6-i386/etc/squid/squid.conf index 34be0ec5..ad1cdc47 100644 --- a/hosts/profitbricks-build6-i386/etc/squid/squid.conf +++ b/hosts/profitbricks-build6-i386/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,14 +963,11 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: +# +# accel Accelerator / reverse proxy mode +# +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# Omitting the mode flag causes default forward proxy mode to be used. # -# defaultsite= The name of the https site presented on -# this port. Implies accel. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. # -# By default, no requests are bumped. +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# # -# Default setting: sslproxy_cert_error deny all +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. +# +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de +# +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load +# +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# The coss store type: +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. +# round-robin # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# Common options: +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# no-store, no new objects should be stored to this cache_dir +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 4096 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 4096 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. diff --git a/hosts/profitbricks-build9-amd64/etc/squid/squid.conf b/hosts/profitbricks-build9-amd64/etc/squid/squid.conf index bd709a30..ad1cdc47 100644 --- a/hosts/profitbricks-build9-amd64/etc/squid/squid.conf +++ b/hosts/profitbricks-build9-amd64/etc/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.20 +# WELCOME TO SQUID 3.5.23 # ---------------------------- # # This is the documentation for the Squid configuration file. @@ -32,6 +32,188 @@ # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# +# Values with byte units +# +# Squid accepts size units on some size related directives. All +# such directives are documented with a default value displaying +# a unit. +# +# Units accepted by Squid are: +# bytes - byte +# KB - Kilobyte (1024 bytes) +# MB - Megabyte +# GB - Gigabyte +# +# Values with spaces, quotes, and other special characters +# +# Squid supports directive parameters with spaces, quotes, and other +# special characters. Surround such parameters with "double quotes". Use +# the configuration_includes_quoted_values directive to enable or +# disable that support. +# +# Squid supports reading configuration option parameters from external +# files using the syntax: +# parameters("/path/filename") +# For example: +# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") +# +# Conditional configuration +# +# If-statements can be used to make configuration directives +# depend on conditions: +# +# if +# ... regular configuration directives ... +# [else +# ... regular configuration directives ...] +# endif +# +# The else part is optional. The keywords "if", "else", and "endif" +# must be typed on their own lines, as if they were regular +# configuration directives. +# +# NOTE: An else-if condition is not supported. +# +# These individual conditions types are supported: +# +# true +# Always evaluates to true. +# false +# Always evaluates to false. +# = +# Equality comparison of two integer numbers. +# +# +# SMP-Related Macros +# +# The following SMP-related preprocessor macros can be used. +# +# ${process_name} expands to the current Squid process "name" +# (e.g., squid1, squid2, or cache1). +# +# ${process_number} expands to the current Squid process +# identifier, which is an integer number (e.g., 1, 2, 3) unique +# across all Squid processes of the current service instance. +# +# ${service_name} expands into the current Squid service instance +# name identifier which is provided by -n on the command line. +# + +# TAG: broken_vary_encoding +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: cache_vary +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: error_map +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: external_refresh_check +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: location_rewrite_program +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: refresh_stale_hit +# This option is not yet supported by Squid-3. +#Default: +# none + +# TAG: hierarchy_stoplist +# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use. +#Default: +# none + +# TAG: log_access +# Remove this line. Use acls with access_log directives to control access logging +#Default: +# none + +# TAG: log_icap +# Remove this line. Use acls with icap_log directives to control icap logging +#Default: +# none + +# TAG: ignore_ims_on_miss +# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'. +#Default: +# none + +# TAG: chunked_request_body_max_size +# Remove this line. Squid is now HTTP/1.1 compliant. +#Default: +# none + +# TAG: dns_v4_fallback +# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. +#Default: +# none + +# TAG: emulate_httpd_log +# Replace this with an access_log directive using the format 'common' or 'combined'. +#Default: +# none + +# TAG: forward_log +# Use a regular access.log with ACL limiting it to MISS events. +#Default: +# none + +# TAG: ftp_list_width +# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. +#Default: +# none + +# TAG: ignore_expect_100 +# Remove this line. The HTTP/1.1 feature is now fully supported by default. +#Default: +# none + +# TAG: log_fqdn +# Remove this option from your config. To log FQDN use %>A in the log format. +#Default: +# none + +# TAG: log_ip_on_direct +# Remove this option from your config. To log server or peer names use % -##auth_param negotiate children 5 +##auth_param negotiate children 20 startup=0 idle=1 ##auth_param negotiate keep_alive on ## -##auth_param ntlm program -##auth_param ntlm children 5 -##auth_param ntlm keep_alive on -## -##auth_param digest program -##auth_param digest children 5 +##auth_param digest program +##auth_param digest children 20 startup=0 idle=1 ##auth_param digest realm Squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## +##auth_param ntlm program +##auth_param ntlm children 20 startup=0 idle=1 +##auth_param ntlm keep_alive on +## ##auth_param basic program -##auth_param basic children 5 +##auth_param basic children 5 startup=5 idle=1 ##auth_param basic realm Squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #Default: @@ -343,7 +448,7 @@ # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilization (long intervals - say +# This is a trade-off between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. #Default: @@ -362,11 +467,11 @@ # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses -# quickly, as is the case with dialups. You might be safe +# quickly, as is the case with dialup. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. #Default: -# authenticate_ip_ttl 0 seconds +# authenticate_ip_ttl 1 second # ACCESS CONTROLS # ----------------------------------------------------------------------------- @@ -381,31 +486,66 @@ # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) +# # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) -# children=n Number of acl helper processes spawn to service +# +# grace=n Percentage remaining of TTL where a refresh of a +# cached entry should be initiated without needing to +# wait for a new reply. (default is for no grace period) +# +# cache=n The maximum number of entries in the result cache. The +# default limit is 262144 entries. Each cache entry usually +# consumes at least 256 bytes. Squid currently does not remove +# expired cache entries until the limit is reached, so a proxy +# will sooner or later reach the limit. The expanded FORMAT +# value is used as the cache key, so if the details in FORMAT +# are highly variable, a larger cache may be needed to produce +# reduction in helper load. +# +# children-max=n +# Maximum number of acl helper processes spawned to service # external acl lookups of this type. (default 5) +# +# children-startup=n +# Minimum number of acl helper processes to spawn during +# startup and reconfigure to service external acl lookups +# of this type. (default 0) +# +# children-idle=n +# Number of acl helper processes to keep ahead of traffic +# loads. Squid will spawn this many at once whenever load +# rises above the capabilities of existing processes. +# Up to the value of children-max. (default 1) +# # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. -# cache=n result cache size, 0 is unbounded (default) -# grace=n Percentage remaining of TTL where a refresh of a -# cached entry should be initiated without needing to -# wait for a new reply. (default 0 for no grace period) -# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers +# +# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers. +# # ipv4 / ipv6 IP protocol used to communicate with this helper. # The default is to auto-detect IPv6 and use it when available. # +# # FORMAT specifications # # %LOGIN Authenticated user login name -# %EXT_USER Username from external acl +# %un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul or %LOGIN +# - user name sent by an external ACL, like %EXT_USER +# - SSL client name, like %us in logformat +# - ident user name, like %ui in logformat +# %EXT_USER Username from previous external acl +# %EXT_LOG Log details from previous external acl +# %EXT_TAG Tag from previous external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host -# %PROTO Requested protocol +# %PROTO Requested URL scheme # %PORT Requested port # %PATH Requested URL path # %METHOD Request method @@ -415,7 +555,10 @@ # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx -# %USER_CA_xx SSL User certificate issuer attribute xx +# %USER_CA_CERT_xx SSL User certificate issuer attribute xx +# %ssl::>sni SSL client SNI sent to Squid +# %ssl::{Header} HTTP request header "Header" # %>{Hdr:member} @@ -433,43 +576,101 @@ # list separator. ; can be any non-alphanumeric # character. # +# %ACL The name of the ACL being tested. +# %DATA The ACL arguments. If not used then any arguments +# is automatically added at the end of the line +# sent to the helper. +# NOTE: this will encode the arguments as one token, +# whereas the default will pass each separately. +# # %% The percent sign. Useful for helpers which need # an unchanging input format. # -# In addition to the above, any string specified in the referencing -# acl will also be included in the helper request line, after the -# specified formats (see the "acl external" directive) # -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. +# General request syntax: +# +# [channel-ID] FORMAT-values [acl-values ...] +# +# +# FORMAT-values consists of transaction details expanded with +# whitespace separation per the config file FORMAT specification +# using the FORMAT macros listed above. +# +# acl-values consists of any string specified in the referencing +# config 'acl ... external' line. see the "acl external" directive. +# +# Request values sent to the helper are URL escaped to protect +# each value in requests against whitespaces. +# +# If using protocol=2.5 then the request sent to the helper is not +# URL escaped to protect against whitespace. +# +# NOTE: protocol=3.0 is deprecated as no longer necessary. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# +# The helper receives lines expanded per the above format specification +# and for each input line returns 1 line starting with OK/ERR/BH result +# code and optionally followed by additional keywords with more details. +# # # General result syntax: # -# OK/ERR keyword=value ... +# [channel-ID] result keyword=value ... +# +# Result consists of one of the codes: +# +# OK +# the ACL test produced a match. +# +# ERR +# the ACL test does not produce a match. +# +# BH +# An internal error occurred in the helper, preventing +# a result being identified. +# +# The meaning of 'a match' is determined by your squid.conf +# access control configuration. See the Squid wiki for details. # # Defined keywords: # # user= The users name (login) +# # password= The users password (for login= cache_peer option) -# message= Message describing the reason. Available as %o -# in error pages -# tag= Apply a tag to a request (for both ERR and OK results) -# Only sets a tag, does not alter existing tags. +# +# message= Message describing the reason for this response. +# Available as %o in error pages. +# Useful on (ERR and BH results). +# +# tag= Apply a tag to a request. Only sets a tag once, +# does not alter existing tags. +# # log= String to be logged in access.log. Available as -# %ea in logformat specifications +# %ea in logformat specifications. # -# If protocol=3.0 (the default) then URL escaping is used to protect -# each value in both requests and responses. +# clt_conn_tag= Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation +# for this kv-pair. # -# If using protocol=2.5 then all values need to be enclosed in quotes -# if they may contain whitespace, or the whitespace escaped using \. -# And quotes or \ characters within the keyword value must be \ escaped. +# Any keywords may be sent on any response whether OK, ERR or BH. # -# When using the concurrency= option the protocol is changed by -# introducing a query channel tag infront of the request/response. -# The query channel tag is a number between 0 and concurrency-1. +# All response keyword values need to be a single token with URL +# escaping, or enclosed in double quotes (") and escaped using \ on +# any double quotes or \ characters within the value. The wrapping +# double quotes are removed before the value is interpreted by Squid. +# \r and \n are also replace by CR and LF. +# +# Some example key values: +# +# user=John%20Smith +# user="John Smith" +# user="J. \"Bob\" Smith" #Default: # none @@ -485,9 +686,23 @@ # # When using "file", the file should contain one item per line. # -# By default, regular expressions are CASE-SENSITIVE. -# To make them case-insensitive, use the -i option. To return case-sensitive -# use the +i option between patterns, or make a new ACL line without -i. +# Some acl types supports options which changes their default behaviour. +# The available options are: +# +# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them +# case-insensitive, use the -i option. To return case-sensitive +# use the +i option between patterns, or make a new ACL line +# without -i. +# +# -n Disable lookups and address type conversions. If lookup or +# conversion is required because the parameter type (IP or +# domain name) does not match the message address type (domain +# name or IP), then the ACL would immediately declare a mismatch +# without any warnings or lookups. +# +# -- Used to stop processing all options, in the case the first acl +# value has '-' character as first character (for example the '-' +# is a valid domain name) # # Some acl types require suspending the current request in order # to access some external data source. @@ -498,29 +713,31 @@ # # ***** ACL TYPES AVAILABLE ***** # -# acl aclname src ip-address/netmask ... # clients IP address [fast] -# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] -# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] -# acl aclname myip ip-address/netmask ... # local socket IP address [fast] +# acl aclname src ip-address/mask ... # clients IP address [fast] +# acl aclname src addr1-addr2/mask ... # range of addresses [fast] +# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] +# acl aclname localip ip-address/mask ... # IP address the client connected to [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) -# # The arp ACL requires the special configure option --enable-arp-acl. -# # Furthermore, the ARP ACL code is not portable to all operating systems. -# # It works on Linux, Solaris, Windows, FreeBSD, and some -# # other *BSD variants. # # [fast] +# # The 'arp' ACL code is not portable to all operating systems. +# # It works on Linux, Solaris, Windows, FreeBSD, and some other +# # BSD variants. +# # +# # NOTE: Squid can only determine the MAC/EUI address for IPv4 +# # clients that are on the same subnet. If the client is on a +# # different subnet, then Squid cannot find out its address. # # -# # NOTE: Squid can only determine the MAC address for clients that are on -# # the same subnet. If the client is on a different subnet, -# # then Squid cannot find out its MAC address. +# # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either +# # encoded directly in the IPv6 address or not available. # # acl aclname srcdomain .foo.com ... # # reverse lookup, from client IP [slow] -# acl aclname dstdomain .foo.com ... +# acl aclname dstdomain [-n] .foo.com ... # # Destination server from URL [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] -# acl aclname dstdom_regex [-i] \.foo\.com ... +# acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # # regex matching server [fast] # # # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP @@ -557,13 +774,17 @@ # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole URL [fast] +# acl aclname urllogin [-i] [^a-zA-Z0-9] ... +# # regex matching on URL login field # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on URL path [fast] # # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # # ranges are alloed -# acl aclname myport 3128 ... # local socket TCP port [fast] -# acl aclname myportname 3128 ... # http(s)_port name [fast] +# acl aclname localport 3128 ... # TCP port the client connected to [fast] +# # NP: for interception mode this is usually '80' +# +# acl aclname myportname 3128 ... # *_port name [fast] # # acl aclname proto HTTP FTP ... # request protocol [fast] # @@ -632,6 +853,11 @@ # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # +# acl aclname random probability +# # Pseudo-randomly match requests. Based on the probability given. +# # Probability may be written as a decimal (0.333), fraction (1/3) +# # or ratio of matches:non-matches (3:5). +# # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some @@ -663,11 +889,11 @@ # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate -# # attribute is one of DN/C/O/CN/L/ST [fast] +# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... @@ -675,7 +901,59 @@ # # use REQUIRED to accept any non-null user name. # # acl aclname tag tagvalue ... -# # string match on tag returned by external acl helper [slow] +# # string match on tag returned by external acl helper [fast] +# # DEPRECATED. Only the first tag will match with this ACL. +# # Use the 'note' ACL instead for handling multiple tag values. +# +# acl aclname hier_code codename ... +# # string match against squid hierarchy code(s); [fast] +# # e.g., DIRECT, PARENT_HIT, NONE, etc. +# # +# # NOTE: This has no effect in http_access rules. It only has +# # effect in rules that affect the reply data stream such as +# # http_reply_access. +# +# acl aclname note name [value ...] +# # match transaction annotation [fast] +# # Without values, matches any annotation with a given name. +# # With value(s), matches any annotation with a given name that +# # also has one of the given values. +# # Names and values are compared using a string equality test. +# # Annotation sources include note and adaptation_meta directives +# # as well as helper and eCAP responses. +# +# acl aclname adaptation_service service ... +# # Matches the name of any icap_service, ecap_service, +# # adaptation_service_set, or adaptation_service_chain that Squid +# # has used (or attempted to use) for the master transaction. +# # This ACL must be defined after the corresponding adaptation +# # service is named in squid.conf. This ACL is usable with +# # adaptation_meta because it starts matching immediately after +# # the service has been selected for adaptation. +# +# acl aclname any-of acl1 acl2 ... +# # match any one of the acls [fast or slow] +# # The first matching ACL stops further ACL evaluation. +# # +# # ACLs from multiple any-of lines with the same name are ORed. +# # For example, A = (a1 or a2) or (a3 or a4) can be written as +# # acl A any-of a1 a2 +# # acl A any-of a3 a4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. +# +# acl aclname all-of acl1 acl2 ... +# # match all of the acls [fast or slow] +# # The first mismatching ACL stops further ACL evaluation. +# # +# # ACLs from multiple all-of lines with the same name are ORed. +# # For example, B = (b1 and b2) or (b3 and b4) can be written as +# # acl B all-of b1 b2 +# # acl B all-of b3 b4 +# # +# # This group ACL is fast if all evaluated ACLs in the group are fast +# # and slow otherwise. # # Examples: # acl macaddress arp 09:00:2b:23:45:67 @@ -685,19 +963,16 @@ # acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: -# acl all src all +# ACLs all, manager, localhost, and to_localhost are predefined. # # # Recommended minimum configuration: -# (now built-in) -#acl manager proto cache_object -#acl localhost src 127.0.0.1/32 ::1 -#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 +# # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed -#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range @@ -716,39 +991,83 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT +# TAG: proxy_protocol_access +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address using PROXY protocol. +# +# Requests may pass through a chain of several other proxies +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# This directive is solely for validating new PROXY protocol +# connections received from a port flagged with require-proxy-header. +# It is checked only once after TCP connection setup. +# +# A deny match results in TCP connection closure. +# +# An allow match is required for Squid to permit the corresponding +# TCP connection, before Squid even looks for HTTP request headers. +# If there is an allow match, Squid starts using PROXY header information +# to determine the source address of the connection for all future ACL +# checks, logging, etc. +# +# SECURITY CONSIDERATIONS: +# +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid +# will use the incorrect information as if it were the +# source address of the request. This may enable remote +# hosts to bypass any access control restrictions that are +# based on the client's source addresses. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# all TCP connections to ports with require-proxy-header will be denied + # TAG: follow_x_forwarded_for -# Allowing or Denying the X-Forwarded-For header to be followed to -# find the original source of a request. +# Determine which client proxies can be trusted to provide correct +# information regarding real client IP address. # # Requests may pass through a chain of several other proxies -# before reaching us. The X-Forwarded-For header will contain a -# comma-separated list of the IP addresses in the chain, with the -# rightmost address being the most recent. +# before reaching us. The original source details may by sent in: +# * HTTP message Forwarded header, or +# * HTTP message X-Forwarded-For header, or +# * PROXY protocol connection header. +# +# PROXY protocol connections are controlled by the proxy_protocol_access +# directive which is checked before this. # # If a request reaches us from a source that is allowed by this -# configuration item, then we consult the X-Forwarded-For header -# to see where that host received the request from. If the -# X-Forwarded-For header contains multiple addresses, we continue -# backtracking until we reach an address for which we are not allowed -# to follow the X-Forwarded-For header, or until we reach the first -# address in the list. For the purpose of ACL used in the -# follow_x_forwarded_for directive the src ACL type always matches -# the address we are testing and srcdomain matches its rDNS. +# directive, then we trust the information it provides regarding +# the IP of the client it received from (if any). +# +# For the purpose of ACLs used in this directive the src ACL type always +# matches the address we are testing and srcdomain matches its rDNS. +# +# On each HTTP request Squid checks for X-Forwarded-For header fields. +# If found the header values are iterated in reverse order and an allow +# match is required for Squid to continue on to the next value. +# The verification ends when a value receives a deny match, cannot be +# tested, or there are no more values to test. +# NOTE: Squid does not yet follow the Forwarded HTTP header. # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, ICAP, delay # pools and logging, depending on the acl_uses_indirect_client, -# icap_uses_indirect_client, delay_pool_uses_indirect_client and -# log_uses_indirect_client options. +# icap_uses_indirect_client, delay_pool_uses_indirect_client, +# log_uses_indirect_client and tproxy_uses_indirect_client options. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # # SECURITY CONSIDERATIONS: # -# Any host for which we follow the X-Forwarded-For header -# can place incorrect information in the header, and Squid +# Any host from which we accept client IP details can place +# incorrect information in the relevant header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are @@ -761,7 +1080,7 @@ acl CONNECT method CONNECT # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #Default: -# follow_x_forwarded_for deny all +# X-Forwarded-For header will be ignored. # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address @@ -787,10 +1106,41 @@ acl CONNECT method CONNECT #Default: # log_uses_indirect_client on +# TAG: tproxy_uses_indirect_client on|off +# Controls whether the indirect client address +# (see follow_x_forwarded_for) is used instead of the +# direct client address when spoofing the outgoing client. +# +# This has no effect on requests arriving in non-tproxy +# mode ports. +# +# SECURITY WARNING: Usage of this option is dangerous +# and should not be used trivially. Correct configuration +# of follow_x_forwarded_for with a limited set of trusted +# sources is required to prevent abuse of your proxy. +#Default: +# tproxy_uses_indirect_client off + +# TAG: spoof_client_ip +# Control client IP address spoofing of TPROXY traffic based on +# defined access lists. +# +# spoof_client_ip allow|deny [!]aclname ... +# +# If there are no "spoof_client_ip" lines present, the default +# is to "allow" spoofing of any suitable request. +# +# Note that the cache_peer "no-tproxy" option overrides this ACL. +# +# This clause supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# Allow spoofing on all TPROXY traffic. + # TAG: http_access # Allowing or Denying access based on defined access lists # -# Access to the HTTP port: +# To allow or deny a message received on an HTTP, HTTPS, or FTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: @@ -809,22 +1159,22 @@ acl CONNECT method CONNECT # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # #Default: -# http_access deny all +# Deny, unless rules exist in squid.conf. # # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -837,7 +1187,7 @@ http_access deny CONNECT !SSL_ports # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed -#http_access allow localnet +http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy @@ -852,7 +1202,7 @@ http_access deny all # # If not set then only http_access is used. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. @@ -860,7 +1210,7 @@ http_access deny all # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow -# all replies +# all replies. # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules @@ -869,7 +1219,7 @@ http_access deny all # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: icp_access # Allowing or Denying access to the ICP port based on defined @@ -877,7 +1227,9 @@ http_access deny all # # icp_access allow|deny [!]aclname ... # -# See http_access for details +# NOTE: The default if no icp_access lines are present is to +# deny all traffic. This default may cause problems with peers +# using ICP. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -886,7 +1238,7 @@ http_access deny all ##icp_access allow localnet ##icp_access deny all #Default: -# icp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined @@ -894,11 +1246,12 @@ http_access deny all # # htcp_access allow|deny [!]aclname ... # -# See http_access for details +# See also htcp_clr_access for details on access control for +# cache purge (CLR) HTCP messages. # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers -# using the htcp or htcp-oldsquid options. +# using the htcp option. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -907,48 +1260,47 @@ http_access deny all ##htcp_access allow localnet ##htcp_access deny all #Default: -# htcp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based -# on defined access lists +# on defined access lists. +# See htcp_access for details on general HTCP access control. # # htcp_clr_access allow|deny [!]aclname ... # -# See http_access for details -# # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow HTCP CLR requests from trusted peers -#acl htcp_clr_peer src 172.16.1.2 +#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 #htcp_clr_access allow htcp_clr_peer +#htcp_clr_access deny all #Default: -# htcp_clr_access deny all +# Deny, unless rules exist in squid.conf. # TAG: miss_access -# Determins whether network access is permitted when satisfying a request. +# Determines whether network access is permitted when satisfying a request. # # For example; # to force your neighbors to use you as a sibling instead of # a parent. # -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients +# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 # miss_access deny !localclients +# miss_access allow all # # This means only your local clients are allowed to fetch relayed/MISS # replies from the network and all other clients can only fetch cached # objects (HITs). # -# # The default for this setting allows all clients who passed the # http_access rules to relay via this proxy. # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# miss_access allow all +# Allow, unless rules exist in squid.conf. # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident @@ -972,7 +1324,7 @@ http_access deny all # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# ident_lookup_access deny all +# Unless rules exist in squid.conf, IDENT is not fetched. # TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be @@ -1009,23 +1361,22 @@ http_access deny all # reply_body_max_size 10 MB # #Default: -# none +# No limit is applied. # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port -# Usage: port [options] -# hostname:port [options] -# 1.2.3.4:port [options] +# Usage: port [mode] [options] +# hostname:port [mode] [options] +# 1.2.3.4:port [mode] [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific +# address. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you @@ -1037,48 +1388,184 @@ http_access deny all # # You may specify multiple socket addresses on multiple lines. # -# Options: +# Modes: # -# intercept Support for IP-Layer interception of -# outgoing requests without browser settings. -# NP: disables authentication and IPv6 on the port. +# intercept Support for IP-Layer NAT interception delivering +# traffic to this Squid port. +# NP: disables authentication on the port. # -# tproxy Support Linux TPROXY for spoofing outgoing -# connections using the client IP address. -# NP: disables authentication and maybe IPv6 on the port. +# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing +# of outgoing connections using the client IP address. +# NP: disables authentication on the port. # -# accel Accelerator mode. Also needs at least one of -# vhost / vport / defaultsite. +# accel Accelerator / reverse proxy mode # -# allow-direct Allow direct forwarding in accelerator mode. Normally -# accelerated requests are denied direct forwarding as if -# never_direct was used. +# ssl-bump For each CONNECT request allowed by ssl_bump ACLs, +# establish secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. # -# defaultsite=domainname -# What to use for the Host: header if it is not present -# in a request. Determines what site (not origin server) -# accelerators should consider the default. -# Implies accel. +# The ssl_bump option is required to fully enable +# bumping of CONNECT requests. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# Accelerator Mode Options: +# +# defaultsite=domainname +# What to use for the Host: header if it is not present +# in a request. Determines what site (not origin server) +# accelerators should consider the default. # -# vhost Accelerator mode using Host header for virtual domain support. -# Also uses the port as specified in Host: header unless -# overridden by the vport option. Implies accel. +# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. +# +# protocol= Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to HTTP/1.1 for http_port and +# HTTPS/1.1 for https_port. +# When an unsupported value is configured Squid will +# produce a FATAL error. +# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1 # # vport Virtual host port support. Using the http_port number -# instead of the port passed on Host: headers. Implies accel. +# instead of the port passed on Host: headers. # # vport=NN Virtual host port support. Using the specified port # number instead of the port passed on Host: headers. -# Implies accel. # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to http. +# act-as-origin +# Act as if this Squid is the origin server. +# This currently means generate new Date: and Expires: +# headers on HIT instead of adding Age:. # # ignore-cc Ignore request Cache-Control headers. # -# Warning: This option violates HTTP specifications if +# WARNING: This option violates HTTP specifications if # used in non-accelerator setups. # +# allow-direct Allow direct forwarding in accelerator mode. Normally +# accelerated requests are denied direct forwarding as if +# never_direct was used. +# +# WARNING: this option opens accelerator mode to security +# vulnerabilities usually only affecting in interception +# mode. Make sure to protect forwarding with suitable +# http_access rules when using this. +# +# +# SSL Bump Mode Options: +# In addition to these options ssl-bump requires TLS/SSL options. +# +# generate-host-certificates[=] +# Dynamically create SSL server certificates for the +# destination hosts of bumped CONNECT requests.When +# enabled, the cert and key options are used to sign +# generated certificates. Otherwise generated +# certificate will be selfsigned. +# If there is a CA certificate lifetime of the generated +# certificate equals lifetime of the CA certificate. If +# generated certificate is selfsigned lifetime is three +# years. +# This option is disabled by default. See the ssl-bump +# option above for more information. +# +# dynamic_cert_mem_cache_size=SIZE +# Approximate total RAM size spent on cached generated +# certificates. If set to zero, caching is disabled. +# +# TLS / SSL Options: +# +# cert= Path to SSL certificate (PEM format). +# +# key= Path to SSL private key file (PEM format) +# if not specified, the certificate file is +# assumed to be a combined certificate and +# key file. +# +# version= The version of SSL/TLS supported +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only +# +# cipher= Colon separated list of supported ciphers. +# NOTE: some ciphers such as EDH ciphers depend on +# additional settings. If those settings are +# omitted the ciphers may be silently ignored +# by the OpenSSL library. +# +# options= Various SSL implementation options. The most important +# being: +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# SINGLE_DH_USE Always create a new key when using +# temporary/ephemeral DH key exchanges +# NO_TICKET Disables TLS tickets extension +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# See OpenSSL SSL_CTX_set_options documentation for a +# complete list of options. +# +# clientca= File containing the list of CAs to use when +# requesting a client certificate. +# +# cafile= File containing additional CA certificates to +# use when verifying client certificates. If unset +# clientca will be used. +# +# capath= Directory containing additional CA certificates +# and CRL lists to use when verifying client certificates. +# +# crlfile= File of additional CRL lists to use when verifying +# the client certificate, in addition to CRLs stored in +# the capath. Implies VERIFY_CRL flag below. +# +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. +# See OpenSSL documentation for details on how to create the +# DH parameter file. Supported curves for ECDH can be listed +# using the "openssl ecparam -list_curves" command. +# WARNING: EDH and EECDH ciphers will be silently disabled if +# this option is not set. +# +# sslflags= Various flags modifying the use of SSL: +# DELAYED_AUTH +# Don't request client certificates +# immediately, but wait until acl processing +# requires a certificate (not yet implemented). +# NO_DEFAULT_CA +# Don't use the default CA lists built in +# to OpenSSL. +# NO_SESSION_REUSE +# Don't allow for session reuse. Each connection +# will result in a new SSL session. +# VERIFY_CRL +# Verify CRL lists when accepting client +# certificates. +# VERIFY_CRL_ALL +# Verify CRL lists for all certificates in the +# client certificate chain. +# +# sslcontext= SSL session ID context identifier. +# +# Other Options: +# # connection-auth[=on|off] # use connection-auth=off to tell Squid to prevent # forwarding Microsoft connection oriented authentication @@ -1100,22 +1587,6 @@ http_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, -# establish secure connection with the client and with -# the server, decrypt HTTP messages as they pass through -# Squid, and treat them as unencrypted HTTP messages, -# becoming the man-in-the-middle. -# -# When this option is enabled, additional options become -# available to specify SSL-related properties of the -# client-side connection: cert, key, version, cipher, -# options, clientca, cafile, capath, crlfile, dhparams, -# sslflags, and sslcontext. See the https_port directive -# for more information on these options. -# -# The ssl_bump option is required to fully enable -# the SslBump feature. -# # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # @@ -1125,6 +1596,11 @@ http_access deny all # probing the connection, interval how often to probe, and # timeout the time before giving up. # +# require-proxy-header +# Require PROXY protocol version 1 or 2 connections. +# The proxy_protocol_access is required to whitelist +# downstream proxies which can be trusted. +# # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be @@ -1137,35 +1613,49 @@ http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # -# The socket address where Squid will listen for HTTPS client -# requests. +# The socket address where Squid will listen for client requests made +# over TLS or SSL connections. Commonly referred to as HTTPS. # -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. +# This is most useful for situations where you are running squid in +# accelerator mode and you want to do the SSL work at the accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # -# Options: +# Modes: # -# accel Accelerator mode. Also needs at least one of -# defaultsite or vhost. +# accel Accelerator / reverse proxy mode # -# defaultsite= The name of the https site presented on -# this port. Implies accel. +# intercept Support for IP-Layer interception of +# outgoing requests without browser settings. +# NP: disables authentication and IPv6 on the port. # -# vhost Accelerator mode using Host header for virtual -# domain support. Requires a wildcard certificate -# or other certificate valid for more than one domain. -# Implies accel. +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# ssl-bump For each intercepted connection allowed by ssl_bump +# ACLs, establish a secure connection with the client and with +# the server, decrypt HTTPS messages as they pass through +# Squid, and treat them as unencrypted HTTP messages, +# becoming the man-in-the-middle. +# +# An "ssl_bump server-first" match is required to +# fully enable bumping of intercepted SSL connections. +# +# Requires tproxy or intercept. +# +# Omitting the mode flag causes default forward proxy mode to be used. +# +# +# See http_port for a list of generic options # -# protocol= Protocol to reconstruct accelerated requests with. -# Defaults to https. +# +# SSL Options: # # cert= Path to SSL certificate (PEM format). # @@ -1181,20 +1671,23 @@ http_port 3128 # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. -# NOTE: some ciphers such as EDH ciphers depend on -# additional settings. If those settings are -# omitted the ciphers may be silently ignored -# by the OpenSSL library. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 +# # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges -# See OpenSSL SSL_CTX_set_options documentation for a -# complete list of options. +# +# SINGLE_ECDH_USE +# Enable ephemeral ECDH key exchange. +# The adopted curve should be specified +# using the tls-dh option. +# +# See src/ssl_support.c or OpenSSL SSL_CTX_set_options +# documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. @@ -1210,11 +1703,10 @@ http_port 3128 # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # -# dhparams= File containing DH parameters for temporary/ephemeral -# DH key exchanges. See OpenSSL documentation for details -# on how to create this file. -# WARNING: EDH ciphers will be silently disabled if this -# option is not set. +# tls-dh=[curve:]file +# File containing DH parameters for temporary/ephemeral DH key +# exchanges, optionally prefixed by a curve for ephemeral ECDH +# key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH @@ -1238,38 +1730,89 @@ http_port 3128 # # generate-host-certificates[=] # Dynamically create SSL server certificates for the -# destination hosts of bumped CONNECT requests.When +# destination hosts of bumped SSL requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. -# If there is CA certificate life time of generated +# If there is CA certificate life time of generated # certificate equals lifetime of CA certificate. If -# generated certificate is selfsigned lifetime is three +# generated certificate is selfsigned lifetime is three # years. -# This option is enabled by default when SslBump is used. -# See the sslBump option above for more information. -# +# This option is disabled by default. See the ssl-bump +# option above for more information. +# # dynamic_cert_mem_cache_size=SIZE # Approximate total RAM size spent on cached generated -# certificates. If set to zero, caching is disabled. The -# default value is 4MB. An average XXX-bit certificate -# consumes about XXX bytes of RAM. +# certificates. If set to zero, caching is disabled. # -# vport Accelerator with IP based virtual host support. +# See http_port for a list of available options. +#Default: +# none + +# TAG: ftp_port +# Enables Native FTP proxy by specifying the socket address where Squid +# listens for FTP client requests. See http_port directive for various +# ways to specify the listening address and mode. # -# vport=NN As above, but uses specified port number rather -# than the https_port number. Implies accel. +# Usage: ftp_port address [mode] [options] # -# name= Specifies a internal name for the port. Defaults to -# the port specification (port or addr:port) +# WARNING: This is a new, experimental, complex feature that has seen +# limited production exposure. Some Squid modules (e.g., caching) do not +# currently work with native FTP proxying, and many features have not +# even been tested for compatibility. Test well before deploying! +# +# Native FTP proxying differs substantially from proxying HTTP requests +# with ftp:// URIs because Squid works as an FTP server and receives +# actual FTP commands (rather than HTTP requests with FTP URLs). # +# Native FTP commands accepted at ftp_port are internally converted or +# wrapped into HTTP-like messages. The same happens to Native FTP +# responses received from FTP origin servers. Those HTTP-like messages +# are shoveled through regular access control and adaptation layers +# between the FTP client and the FTP origin server. This allows Squid to +# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP +# mechanisms when shoveling wrapped FTP messages. For example, +# http_access and adaptation_access directives are used. +# +# Modes: +# +# intercept Same as http_port intercept. The FTP origin address is +# determined based on the intended destination of the +# intercepted connection. +# +# tproxy Support Linux TPROXY for spoofing outgoing +# connections using the client IP address. +# NP: disables authentication and maybe IPv6 on the port. +# +# By default (i.e., without an explicit mode option), Squid extracts the +# FTP origin address from the login@origin parameter of the FTP USER +# command. Many popular FTP clients support such native FTP proxying. +# +# Options: +# +# name=token Specifies an internal name for the port. Defaults to +# the port address. Usable with myportname ACL. +# +# ftp-track-dirs +# Enables tracking of FTP directories by injecting extra +# PWD commands and adjusting Request-URI (in wrapping +# HTTP requests) to reflect the current FTP server +# directory. Tracking is disabled by default. +# +# protocol=FTP Protocol to reconstruct accelerated and intercepted +# requests with. Defaults to FTP. No other accepted +# values have been tested with. An unsupported value +# results in a FATAL error. Accepted values are FTP, +# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1). +# +# Other http_port modes and options that are not specific to HTTP and +# HTTPS may also work. #Default: # none # TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/Diffserv value for packets outgoing +# on the server side, based on an ACL. # # tcp_outgoing_tos ds-field [!]aclname ... # @@ -1286,41 +1829,116 @@ http_port 3128 # RFC2475, and RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or -# "default" to use whatever default your host has. Note that in -# practice often only multiples of 4 is usable as the two rightmost bits -# have been redefined for use by ECN (RFC 3168 section 23.1). +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. # # Processing proceeds in the order specified, and stops at first fully # matching line. # -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. +# Only fast ACLs are supported. #Default: # none # TAG: clientside_tos -# Allows you to select a TOS/Diffserv value to mark client-side -# connections with, based on the username or source address -# making the request. +# Allows you to select a TOS/DSCP value for packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_tos ds-field [!]aclname ... +# +# Example where normal_service_net uses the TOS value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_tos 0x00 normal_service_net +# clientside_tos 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any TOS values set here +# will be overwritten by TOS values in qos_flows. +# +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or +# "default" to use whatever default your host has. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +#Default: +# none + +# TAG: tcp_outgoing_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to outgoing packets +# on the server side, based on an ACL. +# +# tcp_outgoing_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# tcp_outgoing_mark 0x00 normal_service_net +# tcp_outgoing_mark 0x20 good_service_net +# +# Only fast ACLs are supported. +#Default: +# none + +# TAG: clientside_mark +# Note: This option is only available if Squid is rebuilt with the +# Packet MARK (Linux) +# +# Allows you to apply a Netfilter mark value to packets being transmitted +# on the client-side, based on an ACL. +# +# clientside_mark mark-value [!]aclname ... +# +# Example where normal_service_net uses the mark value 0x00 +# and good_service_net uses 0x20 +# +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 +# clientside_mark 0x00 normal_service_net +# clientside_mark 0x20 good_service_net +# +# Note: This feature is incompatible with qos_flows. Any mark values set here +# will be overwritten by mark values in qos_flows. #Default: # none # TAG: qos_flows # Allows you to select a TOS/DSCP value to mark outgoing -# connections with, based on where the reply was sourced. +# connections to the client, based on where the reply was sourced. +# For platforms using netfilter, allows you to set a netfilter mark +# value instead of, or in addition to, a TOS value. +# +# By default this functionality is disabled. To enable it with the default +# settings simply use "qos_flows mark" or "qos_flows tos". Default +# settings will result in the netfilter mark or TOS value being copied +# from the upstream connection to the client. Note that it is the connection +# CONNMARK value not the packet MARK value that is copied. +# +# It is not currently possible to copy the mark or TOS value from the +# client to the upstream connection request. # # TOS values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474, # RFC2475, and RFC3260. # -# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. -# Note that in practice often only values up to 0x3F are usable -# as the two highest bits have been redefined for use by ECN -# (RFC3168). +# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. +# Note that only multiples of 4 are usable as the two rightmost bits have +# been redefined for use by ECN (RFC 3168 section 23.1). +# The squid parser will enforce this by masking away the ECN bits. +# +# Mark values can be any unsigned 32-bit integer value. # -# This setting is configured by setting the source TOS values: +# This setting is configured by setting the following values: +# +# tos|mark Whether to set TOS or netfilter mark values # # local-hit=0xFF Value to mark local cache hits. # @@ -1328,23 +1946,37 @@ http_port 3128 # # parent-hit=0xFF Value to mark hits from parent peers. # +# miss=0xFF[/mask] Value to mark cache misses. Takes precedence +# over the preserve-miss feature (see below), unless +# mask is specified, in which case only the bits +# specified in the mask are written. # -# NOTE: 'miss' preserve feature is only possible on Linux at this time. -# -# For the following to work correctly, you will need to patch your -# linux kernel with the TOS preserving ZPH patch. -# The kernel patch can be downloaded from http://zph.bratcheda.org +# The TOS variant of the following features are only possible on Linux +# and require your kernel to be patched with the TOS preserving ZPH +# patch, available from http://zph.bratcheda.org +# No patch is needed to preserve the netfilter mark, which will work +# with all variants of netfilter. # # disable-preserve-miss -# By default, the existing TOS value of the response coming -# from the remote server will be retained and masked with -# miss-mark. This option disables that feature. +# This option disables the preservation of the TOS or netfilter +# mark. By default, the existing TOS or netfilter mark value of +# the response coming from the remote server will be retained +# and masked with miss-mark. +# NOTE: in the case of a netfilter mark, the mark must be set on +# the connection (using the CONNMARK target) not on the packet +# (MARK target). # # miss-mask=0xFF -# Allows you to mask certain bits in the TOS received from the -# remote server, before copying the value to the TOS sent -# towards clients. -# Default: 0xFF (TOS from server is not changed). +# Allows you to mask certain bits in the TOS or mark value +# received from the remote server, before copying the value to +# the TOS sent towards clients. +# Default for tos: 0xFF (TOS from server is not changed). +# Default for mark: 0xFFFFFFFF (mark from server is not changed). +# +# All of these features require the --enable-zph-qos compilation flag +# (enabled by default). Netfilter marking also requires the +# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and +# libcap 2.09+ (--with-libcap). # #Default: # none @@ -1356,72 +1988,133 @@ http_port 3128 # # tcp_outgoing_address ipaddr [[!]aclname] ... # -# Example where requests from 10.0.0.0/24 will be forwarded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/24 -# acl good_service_net src 10.0.2.0/24 -# tcp_outgoing_address 10.1.0.1 normal_service_net -# tcp_outgoing_address 10.1.0.2 good_service_net -# tcp_outgoing_address 10.1.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -# Note: The use of this directive using client dependent ACLs is -# incompatible with the use of server side persistent connections. To -# ensure correct results it is best to set server_persistent_connections -# to off when using this directive in such configurations. -# +# For example; +# Forwarding clients with dedicated IPs for certain subnets. # -# IPv6 Magic: +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.2.0/24 # -# Squid is built with a capability of bridging the IPv4 and IPv6 -# internets. -# tcp_outgoing_address as exampled above breaks this bridging by forcing -# all outbound traffic through a certain IPv4 which may be on the wrong -# side of the IPv4/IPv6 boundary. +# tcp_outgoing_address 2001:db8::c001 good_service_net +# tcp_outgoing_address 10.1.0.2 good_service_net # -# To operate with tcp_outgoing_address and keep the bridging benefits -# an additional ACL needs to be used which ensures the IPv6-bound traffic -# is never forced or permitted out the IPv4 interface. +# tcp_outgoing_address 2001:db8::beef normal_service_net +# tcp_outgoing_address 10.1.0.1 normal_service_net # -# # IPv6 destination test along with a dummy access control to perform the required DNS -# # This MUST be place before any ALLOW rules. -# acl to_ipv6 dst ipv6 -# http_access deny ipv6 !all +# tcp_outgoing_address 2001:db8::1 +# tcp_outgoing_address 10.1.0.3 # -# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 +# Processing proceeds in the order specified, and stops at first fully +# matching line. # -# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 -# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 +# Squid will add an implicit IP version test to each line. +# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. +# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. # -# tcp_outgoing_address 2001:db8::1 to_ipv6 -# tcp_outgoing_address 10.1.0.3 !to_ipv6 # -# WARNING: -# 'dst ipv6' bases its selection assuming DIRECT access. -# If peers are used the peername ACL are needed to select outgoing -# address which can link to the peer. +# NOTE: The use of this directive using client dependent ACLs is +# incompatible with the use of server side persistent connections. To +# ensure correct results it is best to set server_persistent_connections +# to off when using this directive in such configurations. # -# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used -# previously in the http_access rules to locate the destination IP. -# Some more magic may be needed for that: -# http_access allow to_ipv6 !all -# (meaning, allow if to IPv6 but not from anywhere ;) +# NOTE: The use of this directive to set a local IP on outgoing TCP links +# is incompatible with using TPROXY to set client IP out outbound TCP links. +# When needing to contact peers use the no-tproxy cache_peer option and the +# client_dst_passthru directive re-enable normal forwarding such as this. # #Default: -# none +# Address selection is performed by the operating system. + +# TAG: host_verify_strict +# Regardless of this option setting, when dealing with intercepted +# traffic, Squid always verifies that the destination IP address matches +# the Host header domain or IP (called 'authority form URL'). +# +# This enforcement is performed to satisfy a MUST-level requirement in +# RFC 2616 section 14.23: "The Host field value MUST represent the naming +# authority of the origin server or gateway given by the original URL". +# +# When set to ON: +# Squid always responds with an HTTP 409 (Conflict) error +# page and logs a security warning if there is no match. +# +# Squid verifies that the destination IP address matches +# the Host header for forward-proxy and reverse-proxy traffic +# as well. For those traffic types, Squid also enables the +# following checks, comparing the corresponding Host header +# and Request-URI components: +# +# * The host names (domain or IP) must be identical, +# but valueless or missing Host header disables all checks. +# For the two host names to match, both must be either IP +# or FQDN. +# +# * Port numbers must be identical, but if a port is missing +# the scheme-default port is assumed. +# +# +# When set to OFF (the default): +# Squid allows suspicious requests to continue but logs a +# security warning and blocks caching of the response. +# +# * Forward-proxy traffic is not checked at all. +# +# * Reverse-proxy traffic is not checked at all. +# +# * Intercepted traffic which passes verification is handled +# according to client_dst_passthru. +# +# * Intercepted requests which fail verification are sent +# to the client original destination instead of DIRECT. +# This overrides 'client_dst_passthru off'. +# +# For now suspicious intercepted CONNECT requests are always +# responded to with an HTTP 409 (Conflict) error page. +# +# +# SECURITY NOTE: +# +# As described in CVE-2009-0801 when the Host: header alone is used +# to determine the destination of a request it becomes trivial for +# malicious scripts on remote websites to bypass browser same-origin +# security policy and sandboxing protections. +# +# The cause of this is that such applets are allowed to perform their +# own HTTP stack, in which case the same-origin policy of the browser +# sandbox only verifies that the applet tries to contact the same IP +# as from where it was loaded at the IP level. The Host: header may +# be different from the connected IP and approved origin. +# +#Default: +# host_verify_strict off + +# TAG: client_dst_passthru +# With NAT or TPROXY intercepted traffic Squid may pass the request +# directly to the original client destination IP or seek a faster +# source using the HTTP Host header. +# +# Using Host to locate alternative servers can provide faster +# connectivity with a range of failure recovery options. +# But can also lead to connectivity trouble when the client and +# server are attempting stateful interactions unaware of the proxy. +# +# This option (on by default) prevents alternative DNS entries being +# located to send intercepted traffic DIRECT to an origin server. +# The clients original destination IP and port will be used instead. +# +# Regardless of this option setting, when dealing with intercepted +# traffic Squid will verify the Host: header and any traffic which +# fails Host verification will be treated as if this option were ON. +# +# see host_verify_strict for details on the verification process. +#Default: +# client_dst_passthru on # SSL OPTIONS # ----------------------------------------------------------------------------- # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. @@ -1430,7 +2123,7 @@ http_port 3128 # TAG: ssl_engine # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. @@ -1439,7 +2132,7 @@ http_port 3128 # TAG: sslproxy_client_certificate # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Certificate to use when proxying https:// URLs #Default: @@ -1447,7 +2140,7 @@ http_port 3128 # TAG: sslproxy_client_key # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Client SSL Key to use when proxying https:// URLs #Default: @@ -1455,36 +2148,60 @@ http_port 3128 # TAG: sslproxy_version # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL version level to use when proxying https:// URLs +# +# The versions of SSL/TLS supported: +# +# 1 automatic (default) +# 2 SSLv2 only +# 3 SSLv3 only +# 4 TLSv1.0 only +# 5 TLSv1.1 only +# 6 TLSv1.2 only #Default: -# sslproxy_version 1 +# automatic SSL/TLS version negotiation # TAG: sslproxy_options # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# SSL engine options to use when proxying https:// URLs +# Colon (:) or comma (,) separated list of SSL implementation options +# to use when proxying https:// URLs # # The most important being: # -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# SINGLE_DH_USE -# Always create a new key when using -# temporary/ephemeral DH key exchanges +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using temporary/ephemeral +# DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds suggested as "harmless" +# by OpenSSL. Be warned that this may reduce SSL/TLS +# strength to some attacks. # -# These options vary depending on your SSL engine. # See the OpenSSL SSL_CTX_set_options documentation for a # complete list of possible options. +# +# WARNING: This directive takes a single token. If a space is used +# the value(s) after that space are SILENTLY IGNORED. #Default: # none # TAG: sslproxy_cipher # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # SSL cipher list to use when proxying https:// URLs # @@ -1494,7 +2211,7 @@ http_port 3128 # TAG: sslproxy_cafile # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs @@ -1503,45 +2220,151 @@ http_port 3128 # TAG: sslproxy_capath # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs #Default: # none -# TAG: ssl_bump +# TAG: sslproxy_session_ttl # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # -# This ACL controls which CONNECT requests to an http_port -# marked with an sslBump flag are actually "bumped". Please -# see the sslBump flag of an http_port option for more details -# about decoding proxied SSL connections. +# Sets the timeout value for SSL sessions +#Default: +# sslproxy_session_ttl 300 + +# TAG: sslproxy_session_cache_size +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Sets the cache size to use for ssl session +#Default: +# sslproxy_session_cache_size 2 MB + +# TAG: sslproxy_foreign_intermediate_certs +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Many origin servers fail to send their full server certificate +# chain for verification, assuming the client already has or can +# easily locate any missing intermediate certificates. +# +# Squid uses the certificates from the specified file to fill in +# these missing chains when trying to validate origin server +# certificate chains. +# +# The file is expected to contain zero or more PEM-encoded +# intermediate certificates. These certificates are not treated +# as trusted root certificates, and any self-signed certificate in +# this file will be ignored. +#Default: +# none + +# TAG: sslproxy_cert_sign_hash +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl # -# By default, no requests are bumped. +# Sets the hashing algorithm to use when signing generated certificates. +# Valid algorithm names depend on the OpenSSL library used. The following +# names are usually available: sha1, sha256, sha512, and md5. Please see +# your OpenSSL library manual for the available hashes. By default, Squids +# that support this option use sha256 hashes. +# +# Squid does not forcefully purge cached certificates that were generated +# with an algorithm other than the currently configured one. They remain +# in the cache, subject to the regular cache eviction policy, and become +# useful if the algorithm changes again. +#Default: +# none + +# TAG: ssl_bump +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# This option is consulted when a CONNECT request is received on +# an http_port (or a new connection is intercepted at an +# https_port), provided that port was configured with an ssl-bump +# flag. The subsequent data on the connection is either treated as +# HTTPS and decrypted OR tunneled at TCP level without decryption, +# depending on the first matching bumping "action". +# +# ssl_bump [!]acl ... +# +# The following bumping actions are currently supported: +# +# splice +# Become a TCP tunnel without decrypting proxied traffic. +# This is the default action. +# +# bump +# Establish a secure connection with the server and, using a +# mimicked server certificate, with the client. +# +# peek +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of splicing the +# connection. Peeking at the server certificate (during step 2) +# usually precludes bumping of the connection at step 3. +# +# stare +# Receive client (step SslBump1) or server (step SslBump2) +# certificate while preserving the possibility of bumping the +# connection. Staring at the server certificate (during step 2) +# usually precludes splicing of the connection at step 3. +# +# terminate +# Close client and server connections. +# +# Backward compatibility actions available at step SslBump1: +# +# client-first +# Bump the connection. Establish a secure connection with the +# client first, then connect to the server. This old mode does +# not allow Squid to mimic server SSL certificate and does not +# work with intercepted SSL connections. +# +# server-first +# Bump the connection. Establish a secure connection with the +# server first, then establish a secure connection with the +# client, using a mimicked server certificate. Works with both +# CONNECT requests and intercepted SSL connections, but does +# not allow to make decisions based on SSL handshake info. +# +# peek-and-splice +# Decide whether to bump or splice the connection based on +# client-to-squid and server-to-squid SSL hello messages. +# XXX: Remove. +# +# none +# Same as the "splice" action. +# +# All ssl_bump rules are evaluated at each of the supported bumping +# steps. Rules with actions that are impossible at the current step are +# ignored. The first matching ssl_bump action wins and is applied at the +# end of the current step. If no rules match, the splice action is used. +# See the at_step ACL for a list of the supported SslBump steps. # -# See also: http_port ssl-bump -# # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # +# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step. +# # -# # Example: Bump all requests except those originating from localhost and -# # those going to webax.com or example.com sites. +# # Example: Bump all TLS connections except those originating from +# # localhost or those going to example.com. # -# acl localhost src 127.0.0.1/32 -# acl broken_sites dstdomain .webax.com -# acl broken_sites dstdomain .example.com -# ssl_bump deny localhost -# ssl_bump deny broken_sites -# ssl_bump allow all +# acl broken_sites ssl::server_name .example.com +# ssl_bump splice localhost +# ssl_bump splice broken_sites +# ssl_bump bump all #Default: -# none +# Become a TCP tunnel without decrypting proxied traffic. # TAG: sslproxy_flags # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates that fail verification. @@ -1553,16 +2376,16 @@ http_port 3128 # TAG: sslproxy_cert_error # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Use this ACL to bypass server certificate validation errors. # # For example, the following lines will bypass all validation errors -# when talking to servers located at 172.16.0.0/16. All other +# when talking to servers for example.com. All other # validation errors will result in ERR_SECURE_CONNECT_FAIL error. # -# acl BrokenServersAtTrustedIP dst 172.16.0.0/16 -# sslproxy_cert_error allow BrokenServersAtTrustedIP +# acl BrokenButTrustedServers dstdomain example.com +# sslproxy_cert_error allow BrokenButTrustedServers # sslproxy_cert_error deny all # # This clause only supports fast acl types. @@ -1570,19 +2393,107 @@ http_port 3128 # Using slow acl types may result in server crashes # # Without this option, all server certificate validation errors -# terminate the transaction. Bypassing validation errors is dangerous -# because an error usually implies that the server cannot be trusted and -# the connection may be insecure. +# terminate the transaction to protect Squid and the client. +# +# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed +# but should not happen unless your OpenSSL library is buggy. +# +# SECURITY WARNING: +# Bypassing validation errors is dangerous because an +# error usually implies that the server cannot be trusted +# and the connection may be insecure. # # See also: sslproxy_flags and DONT_VERIFY_PEER. +#Default: +# Server certificate errors terminate the transaction. + +# TAG: sslproxy_cert_sign +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl # -# Default setting: sslproxy_cert_error deny all +# +# sslproxy_cert_sign acl ... +# +# The following certificate signing algorithms are supported: +# +# signTrusted +# Sign using the configured CA certificate which is usually +# placed in and trusted by end-user browsers. This is the +# default for trusted origin server certificates. +# +# signUntrusted +# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. +# This is the default for untrusted origin server certificates +# that are not self-signed (see ssl::certUntrusted). +# +# signSelf +# Sign using a self-signed certificate with the right CN to +# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the +# browser. This is the default for self-signed origin server +# certificates (see ssl::certSelfSigned). +# +# This clause only supports fast acl types. +# +# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding +# signing algorithm to generate the certificate and ignores all +# subsequent sslproxy_cert_sign options (the first match wins). If no +# acl(s) match, the default signing algorithm is determined by errors +# detected when obtaining and validating the origin server certificate. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. +#Default: +# none + +# TAG: sslproxy_cert_adapt +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# +# sslproxy_cert_adapt acl ... +# +# The following certificate adaptation algorithms are supported: +# +# setValidAfter +# Sets the "Not After" property to the "Not After" property of +# the CA certificate used to sign generated certificates. +# +# setValidBefore +# Sets the "Not Before" property to the "Not Before" property of +# the CA certificate used to sign generated certificates. +# +# setCommonName or setCommonName{CN} +# Sets Subject.CN property to the host name specified as a +# CN parameter or, if no explicit CN parameter was specified, +# extracted from the CONNECT request. It is a misconfiguration +# to use setCommonName without an explicit parameter for +# intercepted or tproxied SSL connections. +# +# This clause only supports fast acl types. +# +# Squid first groups sslproxy_cert_adapt options by adaptation algorithm. +# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the +# corresponding adaptation algorithm to generate the certificate and +# ignores all subsequent sslproxy_cert_adapt options in that algorithm's +# group (i.e., the first match wins within each algorithm group). If no +# acl(s) match, the default mimicking action takes place. +# +# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can +# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a +# CONNECT request that carries a domain name. In all other cases (CONNECT +# to an IP address or an intercepted SSL connection), Squid cannot detect +# the domain mismatch at certificate generation time when +# bump-server-first is used. #Default: # none # TAG: sslpassword_program # Note: This option is only available if Squid is rebuilt with the -# --enable-ssl option +# --with-openssl # # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified @@ -1595,12 +2506,12 @@ http_port 3128 #Default: # none -#OPTIONS RELATING TO EXTERNAL SSL_CRTD -#----------------------------------------------------------------------------- +# OPTIONS RELATING TO EXTERNAL SSL_CRTD +# ----------------------------------------------------------------------------- # TAG: sslcrtd_program # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # Specify the location and options of the executable for ssl_crtd process. # /usr/lib/squid/ssl_crtd program requires -s and -M parameters @@ -1611,14 +2522,90 @@ http_port 3128 # TAG: sslcrtd_children # Note: This option is only available if Squid is rebuilt with the -# -DUSE_SSL_CRTD define +# --enable-ssl-crtd # # The maximum number of processes spawn to service ssl server. # The maximum this may be safely set to is 32. # +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# # You must have at least one ssl_crtd process. #Default: -# sslcrtd_children 5 +# sslcrtd_children 32 startup=5 idle=1 + +# TAG: sslcrtvalidator_program +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# Specify the location and options of the executable for ssl_crt_validator +# process. +# +# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ... +# +# Options: +# ttl=n TTL in seconds for cached results. The default is 60 secs +# cache=n limit the result cache size. The default value is 2048 +#Default: +# none + +# TAG: sslcrtvalidator_children +# Note: This option is only available if Squid is rebuilt with the +# --with-openssl +# +# The maximum number of processes spawn to service SSL server. +# The maximum this may be safely set to is 32. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup=N +# +# Sets the minimum number of processes to spawn when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few children temporary slows Squid under load while it +# tries to spawn enough additional processes to cope with traffic. +# +# idle=N +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each certificate validator helper can handle in +# parallel. A value of 0 indicates the certficate validator does not +# support concurrency. Defaults to 1. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# a request ID in front of the request/response. The request +# ID from the request must be echoed back with the response +# to that request. +# +# You must have at least one ssl_crt_validator process. +#Default: +# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- @@ -1680,22 +2667,23 @@ http_port 3128 # # htcp Send HTCP, instead of ICP, queries to the neighbor. # You probably also want to set the "icp-port" to 4827 -# instead of 3130. +# instead of 3130. This directive accepts a comma separated +# list of options described below. # -# htcp-oldsquid Send HTCP to old Squid versions. +# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). # -# htcp-no-clr Send HTCP to the neighbor but without +# htcp=no-clr Send HTCP to the neighbor but without # sending any CLR requests. This cannot be used with -# htcp-only-clr. +# only-clr. # -# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. -# This cannot be used with htcp-no-clr. +# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. +# This cannot be used with no-clr. # -# htcp-no-purge-clr +# htcp=no-purge-clr # Send HTCP to the neighbor including CLRs but only when # they do not result from PURGE requests. # -# htcp-forward-clr +# htcp=forward-clr # Forward any HTCP CLR requests this proxy receives to the peer. # # @@ -1768,6 +2756,14 @@ http_port 3128 # than the Squid default location. # # +# ==== CARP OPTIONS ==== +# +# carp-key=key-specification +# use a different key than the full URL to hash against the peer. +# the key-specification is a comma-separated list of the keywords +# scheme, host, port, path, params +# Order is not important. +# # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== # # originserver Causes this parent to be contacted as an origin server. @@ -1795,20 +2791,23 @@ http_port 3128 # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # -# login=PROXYPASS +# login=PASSTHRU # Send login details received from client to this peer. -# Authentication is not required, nor changed. +# Both Proxy- and WWW-Authorization headers are passed +# without alteration to the peer. +# Authentication is not required by Squid for this to work. # # Note: This will pass any form of authentication but # only Basic auth will work through a proxy unless the # connection-auth options are also used. -# +# # login=PASS Send login details received from client to this peer. # Authentication is not required by this option. +# # If there are no client-provided authentication headers # to pass on, but username and password are available -# from either proxy login or an external ACL user= and -# password= result tags they may be sent instead. +# from an external ACL user= and password= result tags +# they may be sent instead. # # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for @@ -1826,6 +2825,27 @@ http_port 3128 # be used to identify this proxy to the peer, similar to # the login=username:password option above. # +# login=NEGOTIATE +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The first principal from the default keytab or defined by +# the environment variable KRB5_KTNAME will be used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# +# login=NEGOTIATE:principal_name +# If this is a personal/workgroup proxy and your parent +# requires a secure proxy authentication. +# The principal principal_name from the default keytab or +# defined by the environment variable KRB5_KTNAME will be +# used. +# +# WARNING: The connection may transmit requests from multiple +# clients. Negotiate often assumes end-to-end authentication +# and a single-client. Which is not strictly true here. +# # connection-auth=on|off # Tell Squid that this peer does or not support Microsoft # connection oriented authentication, and any such @@ -1848,22 +2868,42 @@ http_port 3128 # reference a combined file containing both the # certificate and the key. # -# sslversion=1|2|3|4 +# sslversion=1|2|3|4|5|6 # The SSL version to use when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only -# 4 = TLS v1 only +# 4 = TLS v1.0 only +# 5 = TLS v1.1 only +# 6 = TLS v1.2 only # # sslcipher=... The list of valid SSL ciphers to use when connecting # to this peer. # -# ssloptions=... Specify various SSL engine options: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or the OpenSSL documentation for -# a more complete list. +# ssloptions=... Specify various SSL implementation options: +# +# NO_SSLv2 Disallow the use of SSLv2 +# NO_SSLv3 Disallow the use of SSLv3 +# NO_TLSv1 Disallow the use of TLSv1.0 +# NO_TLSv1_1 Disallow the use of TLSv1.1 +# NO_TLSv1_2 Disallow the use of TLSv1.2 +# +# SINGLE_DH_USE +# Always create a new key when using +# temporary/ephemeral DH key exchanges +# +# NO_TICKET +# Disable use of RFC5077 session tickets. Some servers +# may have problems understanding the TLS extension due +# to ambiguous specification in RFC4507. +# +# ALL Enable various bug workarounds +# suggested as "harmless" by OpenSSL +# Be warned that this reduces SSL/TLS +# strength to some attacks. +# +# See the OpenSSL SSL_CTX_set_options documentation for a +# more complete list. # # sslcafile=... A file containing additional CA certificates to use # when verifying the peer certificate. @@ -1907,29 +2947,74 @@ http_port 3128 # # connect-fail-limit=N # How many times connecting to a peer must fail before -# it is marked as down. Default is 10. +# it is marked as down. Standby connection failures +# count towards this limit. Default is 10. # # allow-miss Disable Squid's use of only-if-cached when forwarding # requests to siblings. This is primarily useful when -# icp_hit_stale is used by the sibling. To extensive use -# of this option may result in forwarding loops, and you -# should avoid having two-way peerings with this option. -# For example to deny peer usage on requests from peer -# by denying cache_peer_access if the source is a peer. +# icp_hit_stale is used by the sibling. Excessive use +# of this option may result in forwarding loops. One way +# to prevent peering loops when using this option, is to +# deny cache peer usage on requests from a peer: +# acl fromPeer ... +# cache_peer_access peerName deny fromPeer +# +# max-conn=N Limit the number of concurrent connections the Squid +# may open to this peer, including already opened idle +# and standby connections. There is no peer-specific +# connection limit by default. +# +# A peer exceeding the limit is not used for new +# requests unless a standby connection is available. +# +# max-conn currently works poorly with idle persistent +# connections: When a peer reaches its max-conn limit, +# and there are idle persistent connections to the peer, +# the peer may not be selected because the limiting code +# does not know whether Squid can reuse those idle +# connections. +# +# standby=N Maintain a pool of N "hot standby" connections to an +# UP peer, available for requests when no idle +# persistent connection is available (or safe) to use. +# By default and with zero N, no such pool is maintained. +# N must not exceed the max-conn limit (if any). +# +# At start or after reconfiguration, Squid opens new TCP +# standby connections until there are N connections +# available and then replenishes the standby pool as +# opened connections are used up for requests. A used +# connection never goes back to the standby pool, but +# may go to the regular idle persistent connection pool +# shared by all peers and origin servers. # -# max-conn=N Limit the amount of connections Squid may open to this -# peer. see also +# Squid never opens multiple new standby connections +# concurrently. This one-at-a-time approach minimizes +# flooding-like effect on peers. Furthermore, just a few +# standby connections should be sufficient in most cases +# to supply most new requests with a ready-to-use +# connection. +# +# Standby connections obey server_idle_pconn_timeout. +# For the feature to work as intended, the peer must be +# configured to accept and keep them open longer than +# the idle timeout at the connecting Squid, to minimize +# race conditions typical to idle used persistent +# connections. Default request_timeout and +# server_idle_pconn_timeout values ensure such a +# configuration. # # name=xxx Unique name for the peer. # Required if you have multiple peers on the same host # but different ports. # This name can be used in cache_peer_access and similar -# directives to dentify the peer. +# directives to identify the peer. # Can be used by outgoing access controls through the # peername ACL type. # # no-tproxy Do not use the client-spoof TPROXY support when forwarding # requests to this peer. Use normal address selection instead. +# This overrides the spoof_client_ip ACL. # # proxy-only objects fetched from the peer will not be stored locally. # @@ -1938,10 +3023,11 @@ http_port 3128 # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be -# queried. Usage: +# queried. # -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain +# Usage: +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain # # For example, specifying # @@ -1966,33 +3052,57 @@ http_port 3128 # none # TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. +# Restricts usage of cache_peer proxies. # -# cache_peer_access cache-host allow|deny [!]aclname ... +# Usage: +# cache_peer_access peer-name allow|deny [!]aclname ... +# +# For the required peer-name parameter, use either the value of the +# cache_peer name=value parameter or, if name=value is missing, the +# cache_peer hostname parameter. +# +# This directive narrows down the selection of peering candidates, but +# does not determine the order in which the selected candidates are +# contacted. That order is determined by the peer selection algorithms +# (see PEER SELECTION sections in the cache_peer documentation). +# +# If a deny rule matches, the corresponding peer will not be contacted +# for the current transaction -- Squid will not send ICP queries and +# will not forward HTTP requests to that peer. An allow match leaves +# the corresponding peer in the selection. The first match for a given +# peer wins for that peer. +# +# The relative order of cache_peer_access directives for the same peer +# matters. The relative order of any two cache_peer_access directives +# for different peers does not matter. To ease interpretation, it is a +# good idea to group cache_peer_access directives for the same peer +# together. +# +# A single cache_peer_access directive may be evaluated multiple times +# for a given transaction because individual peer selection algorithms +# may check it independently from each other. These redundant checks +# may be optimized away in future Squid versions. # -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# No peer usage restrictions. # TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... +# Modify the cache_peer neighbor type when passing requests +# about specific domains to the peer. +# +# Usage: +# neighbor_type_domain neighbor parent|sibling domain domain ... # -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. +# For example: +# cache_peer foo.example.com parent 3128 3130 +# neighbor_type_domain foo.example.com sibling .au .de # -#EXAMPLE: -# cache_peer cache.foo.org parent 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de +# The above configuration treats all requests to foo.example.com as a +# parent proxy unless the request is for a .au or .de ccTLD domain name. #Default: -# none +# The peer type from cache_peer directive is used for all requests to that peer. # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache @@ -2015,21 +3125,11 @@ http_port 3128 # TAG: forward_max_tries # Controls how many different forward paths Squid will try # before giving up. See also forward_timeout. +# +# NOTE: connect_retries (default: none) can make each of these +# possible forwarding paths be tried multiple times. #Default: -# forward_max_tries 10 - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -# -# Example: -# hierarchy_stoplist cgi-bin ? -# -# Note: never_direct overrides this option. -#Default: -# none +# forward_max_tries 25 # MEMORY CACHE OPTIONS # ----------------------------------------------------------------------------- @@ -2064,6 +3164,11 @@ http_port 3128 # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. +# +# If shared memory caching is enabled, Squid does not use the shared +# cache space for in-transit objects, but they still consume as much +# local memory as they need. For more details about the shared memory +# cache, see memory_cache_shared. #Default: # cache_mem 256 MB @@ -2075,11 +3180,45 @@ http_port 3128 #Default: # maximum_object_size_in_memory 512 KB +# TAG: memory_cache_shared on|off +# Controls whether the memory cache is shared among SMP workers. +# +# The shared memory cache is meant to occupy cache_mem bytes and replace +# the non-shared memory cache, although some entities may still be +# cached locally by workers for now (e.g., internal and in-transit +# objects may be served from a local memory cache even if shared memory +# caching is enabled). +# +# By default, the memory cache is shared if and only if all of the +# following conditions are satisfied: Squid runs in SMP mode with +# multiple workers, cache_mem is positive, and Squid environment +# supports required IPC primitives (e.g., POSIX shared memory segments +# and GCC-style atomic operations). +# +# To avoid blocking locks, shared memory uses opportunistic algorithms +# that do not guarantee that every cachable entity that could have been +# shared among SMP workers will actually be shared. +#Default: +# "on" where supported if doing memory caching with multiple SMP workers. + +# TAG: memory_cache_mode +# Controls which objects to keep in the memory cache (cache_mem) +# +# always Keep most recently fetched objects in memory (default) +# +# disk Only disk cache hits are kept in memory, which means +# an object must first be cached on disk and then hit +# a second time before cached in memory. +# +# network Only objects fetched from network is kept in memory +#Default: +# Keep the most recently fetched objects in memory + # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # -# See cache_replacement_policy for details. +# See cache_replacement_policy for details on algorithms. #Default: # memory_replacement_policy lru @@ -2095,7 +3234,7 @@ http_port 3128 # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # -# Applies to any cache_dir lines listed below this. +# Applies to any cache_dir lines listed below this directive. # # The LRU policies keeps recently referenced objects. # @@ -2114,7 +3253,7 @@ http_port 3128 # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to +# the value of maximum_object_size above its default of 4 MB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement @@ -2123,10 +3262,34 @@ http_port 3128 #Default: # cache_replacement_policy lru +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in bytes, and the default is 0 KB, which +# means all responses can be stored. +#Default: +# no limit + +# TAG: maximum_object_size (bytes) +# Set the default value for max-size parameter on any cache_dir. +# The value is specified in bytes, and the default is 4 MB. +# +# If you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). +# +# If you wish to increase hit ratio more than you want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See cache_replacement_policy for a discussion of this policy. +#Default: +# maximum_object_size 4 MB +maximum_object_size 153600 KB + # TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] +# Format: +# cache_dir Type Directory-Name Fs-specific-data [options] # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. @@ -2141,12 +3304,18 @@ http_port 3128 # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # -# The ufs store type: +# In SMP configurations, cache_dir must not precede the workers option +# and should use configuration macros or conditionals to give each +# worker interested in disk caching a dedicated cache directory. +# +# +# ==== The ufs store type ==== # # "ufs" is the old well-known Squid storage format that has always # been there. # -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your @@ -2161,23 +3330,27 @@ http_port 3128 # will be created under each first-level directory. The default # is 256. # -# The aufs store type: +# +# ==== The aufs store type ==== # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# Usage: +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # -# The diskd store type: +# +# ==== The diskd store type ==== # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# Usage: +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # @@ -2185,55 +3358,149 @@ http_port 3128 # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it receives some replies. Default is 72 +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it receives some replies. Default is 72 +# +# When Q1 < Q2 (the default), the cache directory is optimized +# for lower response time at the expense of a decrease in hit +# ratio. If Q1 > Q2, the cache directory is optimized for +# higher hit ratio at the expense of an increase in response +# time. +# +# +# ==== The rock store type ==== +# +# Usage: +# cache_dir rock Directory-Name Mbytes [options] +# +# The Rock Store type is a database-style storage. All cached +# entries are stored in a "database" file, using fixed-size slots. +# A single entry occupies one or more slots. +# +# If possible, Squid using Rock Store creates a dedicated kid +# process called "disker" to avoid blocking Squid worker(s) on disk +# I/O. One disker kid is created for each rock cache_dir. Diskers +# are created only when Squid, running in daemon mode, has support +# for the IpcIo disk I/O module. +# +# swap-timeout=msec: Squid will not start writing a miss to or +# reading a hit from disk if it estimates that the swap operation +# will take more than the specified number of milliseconds. By +# default and when set to zero, disables the disk I/O time limit +# enforcement. Ignored when using blocking I/O module because +# blocking synchronous I/O does not allow Squid to estimate the +# expected swap wait time. +# +# max-swap-rate=swaps/sec: Artificially limits disk access using +# the specified I/O rate limit. Swap out requests that +# would cause the average I/O rate to exceed the limit are +# delayed. Individual swap in requests (i.e., hits or reads) are +# not delayed, but they do contribute to measured swap rate and +# since they are placed in the same FIFO queue as swap out +# requests, they may wait longer if max-swap-rate is smaller. +# This is necessary on file systems that buffer "too +# many" writes and then start blocking Squid and other processes +# while committing those writes to disk. Usually used together +# with swap-timeout to avoid excessive delays and queue overflows +# when disk demand exceeds available disk "bandwidth". By default +# and when set to zero, disables the disk I/O rate limit +# enforcement. Currently supported by IpcIo module only. +# +# slot-size=bytes: The size of a database "record" used for +# storing cached responses. A cached response occupies at least +# one slot and all database I/O is done using individual slots so +# increasing this parameter leads to more disk space waste while +# decreasing it leads to more disk I/O overheads. Should be a +# multiple of your operating system I/O page size. Defaults to +# 16KBytes. A housekeeping header is stored with each slot and +# smaller slot-sizes will be rejected. The header is smaller than +# 100 bytes. +# +# +# ==== COMMON OPTIONS ==== +# +# no-store no new objects should be stored to this cache_dir. +# +# min-size=n the minimum object size in bytes this cache_dir +# will accept. It's used to restrict a cache_dir +# to only store large objects (e.g. AUFS) while +# other stores are optimized for smaller objects +# (e.g. Rock). +# Defaults to 0. +# +# max-size=n the maximum object size in bytes this cache_dir +# supports. +# The value in maximum_object_size directive sets +# the default unless more specific details are +# available (ie a small store capacity). +# +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first. +# +#Default: +# No disk cache. Store cache ojects only in memory. +# + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 +cache_dir ufs /var/spool/squid 4096 16 1024 + +# TAG: store_dir_select_algorithm +# How Squid selects which cache_dir to use when the response +# object will fit into more than one. +# +# Regardless of which algorithm is used the cache_dir min-size +# and max-size parameters are obeyed. As such they can affect +# the selection algorithm by limiting the set of considered +# cache_dir. +# +# Algorithms: +# +# least-load # -# When Q1 < Q2 (the default), the cache directory is optimized -# for lower response time at the expense of a decrease in hit -# ratio. If Q1 > Q2, the cache directory is optimized for -# higher hit ratio at the expense of an increase in response -# time. +# This algorithm is suited to caches with similar cache_dir +# sizes and disk speeds. # -# The coss store type: +# The disk with the least I/O pending is selected. +# When there are multiple disks with the same I/O load ranking +# the cache_dir with most available capacity is selected. # -# NP: COSS filesystem in Squid-3 has been deemed too unstable for -# production use and has thus been removed from this release. -# We hope that it can be made usable again soon. +# When a mix of cache_dir sizes are configured the faster disks +# have a naturally lower I/O loading and larger disks have more +# capacity. So space used to store objects and data throughput +# may be very unbalanced towards larger disks. # -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# you should not change the coss block size after Squid -# has written some objects to the cache_dir. # -# The coss file store has changed from 2.5. Now it uses a file -# called 'stripe' in the directory names in the config - and -# this will be created by squid -z. +# round-robin # -# Common options: +# This algorithm is suited to caches with unequal cache_dir +# disk sizes. # -# no-store, no new objects should be stored to this cache_dir +# Each cache_dir is selected in a rotation. The next suitable +# cache_dir is used. # -# max-size=n, refers to the max object size in bytes this cache_dir -# supports. It is used to select the cache_dir to store the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. +# Available cache_dir capacity is only considered in relation +# to whether the object will fit and meets the min-size and +# max-size parameters. # -# Note for coss, max-size must be less than COSS_MEMBUF_SZ, -# which can be changed with the --with-coss-membuf-size=N configure -# option. +# Disk I/O loading is only considered to prevent overload on slow +# disks. This algorithm does not spread objects by size, so any +# I/O loading per-disk may appear very unbalanced and volatile. # - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 -cache_dir ufs /var/spool/squid 8192 16 1024 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. +# If several cache_dirs use similar min-size, max-size, or other +# limits to to reject certain responses, then do not group such +# cache_dir lines together, to avoid round-robin selection bias +# towards the first cache_dir after the group. Instead, interleave +# cache_dir lines from different groups. For example: +# +# store_dir_select_algorithm round-robin +# cache_dir rock /hdd1 ... min-size=100000 +# cache_dir rock /ssd1 ... max-size=99999 +# cache_dir rock /hdd2 ... min-size=100000 +# cache_dir rock /ssd2 ... max-size=99999 +# cache_dir rock /hdd3 ... min-size=100000 +# cache_dir rock /ssd3 ... max-size=99999 #Default: # store_dir_select_algorithm least-load @@ -2244,46 +3511,53 @@ cache_dir ufs /var/spool/squid 8192 16 1024 # # A value of 0 indicates no limit. #Default: -# max_open_disk_fds 0 - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -#Default: -# maximum_object_size 4096 KB -maximum_object_size 153600 KB +# no limit # TAG: cache_swap_low (percent, 0-100) +# The low-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. +# +# Removal begins when the swap (disk) usage of a cache_dir is +# above this low-water mark and attempts to maintain utilization +# near the low-water mark. +# +# As swap utilization increases towards the high-water mark set +# by cache_swap_high object eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +# See also cache_swap_high and cache_replacement_policy #Default: # cache_swap_low 90 # TAG: cache_swap_high (percent, 0-100) +# The high-water mark for AUFS/UFS/diskd cache object eviction by +# the cache_replacement_policy algorithm. # -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. +# Removal begins when the swap (disk) usage of a cache_dir is +# above the low-water mark set by cache_swap_low and attempts to +# maintain utilization near the low-water mark. +# +# As swap utilization increases towards this high-water mark object +# eviction becomes more agressive. +# +# The value difference in percentages between low- and high-water +# marks represent an eviction rate of 300 objects per second and +# the rate continues to scale in agressiveness by multiples of +# this above the high-water mark. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. +# +# See also cache_swap_low and cache_replacement_policy #Default: # cache_swap_high 95 @@ -2313,21 +3587,62 @@ maximum_object_size 153600 KB # ' output as-is # # - left aligned -# width field width. If starting with 0 the -# output is zero padded +# +# width minimum and/or maximum field width: +# [width_min][.width_max] +# When minimum starts with 0, the field is zero-padded. +# String values exceeding maximum width are truncated. +# # {arg} argument such as header name etc # # Format codes: # # % a literal % character +# sn Unique sequence number per log line entry +# err_code The ID of an error response served by Squid or +# a similar internal error identifier. +# err_detail Additional err_code-dependent error information. +# note The annotation specified by the argument. Also +# logs the adaptation meta headers set by the +# adaptation_meta configuration parameter. +# If no argument given all annotations logged. +# The argument may include a separator to use with +# annotation values: +# name[:separator] +# By default, multiple note values are separated with "," +# and multiple notes are separated with "\r\n". +# When logging named notes with %{name}note, the +# explicitly configured separator is used between note +# values. When logging all notes with %note, the +# explicitly configured separator is used between +# individual notes. There is currently no way to +# specify both value and notes separators when logging +# all notes with %note. +# +# Connection related format codes: +# # >a Client source IP address # >A Client FQDN # >p Client source port -# eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) +# >la Local IP address the client connected to +# >lp Local port number the client connected to +# >qos Client connection TOS/DSCP value set by Squid +# >nfmark Client connection netfilter mark set by Squid +# +# la Local listening IP address the client connection was connected to. +# lp Local listening port number the client connection was connected to. +# +# . format. +# Currently, Squid considers the master transaction +# started when a complete HTTP request header initiating +# the transaction is received from the client. This is +# the same value that Squid uses to calculate transaction +# response time when logging %tr to access.log. Currently, +# Squid uses millisecond resolution for %tS values, +# similar to the default access.log "current time" field +# (%ts.%03tu). +# +# Access Control related format codes: +# +# et Tag returned by external acl +# ea Log string returned by external acl +# un User name (any available) +# ul User name from authentication +# ue User name from external acl helper +# ui User name from ident +# un A user name. Expands to the first available name +# from the following list of information sources: +# - authenticated user name, like %ul +# - user name supplied by an external ACL, like %ue +# - SSL client name, like %us +# - ident user name, like %ui +# credentials Client credentials. The exact meaning depends on +# the authentication scheme: For Basic authentication, +# it is the password; for Digest, the realm sent by the +# client; for NTLM and Negotiate, the client challenge +# or client credentials prefixed with "YR " or "KK ". +# +# HTTP related format codes: +# +# REQUEST # -# HTTP cache related format codes: -# -# [http::]>h Original request header. Optional header name argument -# on the format header[:[separator]element] -# [http::]>ha The HTTP request headers after adaptation and redirection. +# [http::]rm Request method (GET/POST etc) +# [http::]>rm Request method from client +# [http::]ru Request URL from client +# [http::]rs Request URL scheme from client +# [http::]rd Request URL domain from client +# [http::]rP Request URL port from client +# [http::]rp Request URL path excluding hostname from client +# [http::]rv Request protocol version from client +# [http::]h Original received request header. +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. +# Accepts optional header field name/value filter +# argument using name[:[separator]element] format. +# [http::]>ha Received request header after adaptation and +# redirection (pre-cache REQMOD vectoring point). +# Usually differs from the request header sent by +# Squid, although most fields are often preserved. # Optional header name argument as for >h +# +# +# RESPONSE +# +# [http::]Hs HTTP status code sent to the client +# # [http::]h -# [http::]un User name -# [http::]ul User name from authentication -# [http::]ui User name from ident -# [http::]us User name from SSL -# [http::]ue User name from external acl helper -# [http::]>Hs HTTP status code sent to the client -# [http::]st Received request size including HTTP headers. In the -# case of chunked requests the chunked encoding metadata -# are not included -# [http::]>sh Received HTTP request headers size -# [http::]st Total size of request received from client. +# Excluding chunked encoding bytes. +# [http::]sh Size of request headers received from client +# [http::]sni SSL client SNI sent to Squid. Available only +# after the peek, stare, or splice SSL bumping +# actions. +# +# If ICAP is enabled, the following code becomes available (as # well as ICAP log codes documented with the icap_log option): # # icap::tt Total ICAP processing time for the HTTP @@ -2386,14 +3793,13 @@ maximum_object_size 153600 KB # ACLs are checked and when ICAP # transaction is in progress. # -# icap::cert_subject The Subject field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Subject often has spaces. +# +# %ssl::>cert_issuer The Issuer field of the received client +# SSL certificate or a dash ('-') if Squid has +# received an invalid/malformed certificate or +# no certificate at all. Consider encoding the +# logged value because Issuer often has spaces. +# # The default formats available (which do not need re-defining) are: # -#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +#logformat referrer %ts.%03tu %>a %{Referer}>h %ru +#logformat useragent %>a [%tl] "%{User-Agent}>h" +# +# NOTE: When the log_mime_hdrs directive is set to ON. +# The squid, common and combined formats have a safely encoded copy +# of the mime headers appended to each line within a pair of brackets. +# +# NOTE: The common and combined formats are not quite true to the Apache definition. +# The logs from Squid contain an extra status and hierarchy code appended. +# #Default: -# none +# The format definitions squid, common, combined, referrer, useragent are built in. # TAG: access_log -# These files log client request activities. Has a line every HTTP or -# ICP request. The format is: -# access_log [ [acl acl ...]] -# access_log none [acl acl ...]] +# Configures whether and how Squid logs HTTP and ICP transactions. +# If access logging is enabled, a single line is logged for every +# matching HTTP or ICP request. The recommended directive formats are: # -# Will log to the specified file using the specified format (which -# must be defined in a logformat directive) those entries which match -# ALL the acl's specified (which must be defined in acl clauses). +# access_log : [option ...] [acl acl ...] +# access_log none [acl acl ...] # -# If no acl is specified, all requests will be logged to this file. +# The following directive format is accepted but may be deprecated: +# access_log : [ [acl acl ...]] # -# To disable logging of a request use the filepath "none", in which case -# a logformat name should not be specified. +# In most cases, the first ACL name must not contain the '=' character +# and should not be equal to an existing logformat name. You can always +# start with an 'all' ACL to work around those restrictions. +# +# Will log to the specified module:place using the specified format (which +# must be defined in a logformat directive) those entries which match +# ALL the acl's specified (which must be defined in acl clauses). +# If no acl is specified, all requests will be logged to this destination. +# +# ===== Available options for the recommended directive format ===== +# +# logformat=name Names log line format (either built-in or +# defined by a logformat directive). Defaults +# to 'squid'. +# +# buffer-size=64KB Defines approximate buffering limit for log +# records (see buffered_logs). Squid should not +# keep more than the specified size and, hence, +# should flush records before the buffer becomes +# full to avoid overflows under normal +# conditions (the exact flushing algorithm is +# module-dependent though). The on-error option +# controls overflow handling. +# +# on-error=die|drop Defines action on unrecoverable errors. The +# 'drop' action ignores (i.e., does not log) +# affected log records. The default 'die' action +# kills the affected worker. The drop action +# support has not been tested for modules other +# than tcp. +# +# ===== Modules Currently available ===== +# +# none Do not log any requests matching these ACL. +# Do not specify Place or logformat name. +# +# stdio Write each log line to disk immediately at the completion of +# each request. +# Place: the filename and path to be written. +# +# daemon Very similar to stdio. But instead of writing to disk the log +# line is passed to a daemon helper for asychronous handling instead. +# Place: varies depending on the daemon. +# +# log_file_daemon Place: the file name and path to be written. +# +# syslog To log each request via syslog facility. +# Place: The syslog facility and priority level for these entries. +# Place Format: facility.priority # -# To log the request via syslog specify a filepath of "syslog": +# where facility could be any of: +# authpriv, daemon, local0 ... local7 or user. # -# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] -# where facility could be any of: -# authpriv, daemon, local0 .. local7 or user. +# And priority could be any of: +# err, warning, notice, info, debug. +# +# udp To send each log line as text data to a UDP receiver. +# Place: The destination host name or IP and port. +# Place Format: //host:port # -# And priority could be any of: -# err, warning, notice, info, debug. +# tcp To send each log line as text data to a TCP receiver. +# Lines may be accumulated before sending (see buffered_logs). +# Place: The destination host name or IP and port. +# Place Format: //host:port # # Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid #Default: -# access_log /var/log/squid/access.log squid +# access_log daemon:/var/log/squid/access.log squid # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -2472,13 +3953,35 @@ maximum_object_size 153600 KB # ICAP transaction log lines will correspond to a single access # log line. # -# ICAP log uses logformat codes that make sense for an ICAP -# transaction. Header-related codes are applied to the HTTP header -# embedded in an ICAP server response, with the following caveats: -# For REQMOD, there is no HTTP response header unless the ICAP -# server performed request satisfaction. For RESPMOD, the HTTP -# request header is the header sent to the ICAP server. For -# OPTIONS, there are no HTTP headers. +# ICAP log supports many access.log logformat %codes. In ICAP context, +# HTTP message-related %codes are applied to the HTTP message embedded +# in an ICAP message. Logformat "%http::>..." codes are used for HTTP +# messages embedded in ICAP requests while "%http::<..." codes are used +# for HTTP messages embedded in ICAP responses. For example: +# +# http::>h To-be-adapted HTTP message headers sent by Squid to +# the ICAP service. For REQMOD transactions, these are +# HTTP request headers. For RESPMOD, these are HTTP +# response headers, but Squid currently cannot log them +# (i.e., %http::>h will expand to "-" for RESPMOD). +# +# http::st Bytes sent to the ICAP server (TCP payload -# only; i.e., what Squid writes to the socket). +# icap::>st The total size of the ICAP request sent to the ICAP +# server (ICAP headers + ICAP body), including chunking +# metadata (if any). # -# icap::a %icap::to/%03icap::Hs %icap::A %icap::to/%03icap::Hs %icap::\n - logfile data +# R\n - rotate file +# T\n - truncate file +# O\n - reopen file +# F\n - flush file +# r\n - set rotate count to +# b\n - 1 = buffer output, 0 = don't buffer output +# +# No responses is expected. #Default: -# none +# logfile_daemon /usr/lib/squid/log_file_daemon -# TAG: log_icap -# This options allows you to control which requests get logged -# to icap.log. See the icap_log directive for ICAP log details. +# TAG: stats_collection allow|deny acl acl... +# This options allows you to control which requests gets accounted +# in performance counters. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow logging for all transactions. # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none" or remove the line. +# saved and for how long. # There are not really utilities to analyze this data, so you can safely -# disable it. -# +# disable it (the default). +# +# Store log uses modular logging outputs. See access_log for the list +# of modules supported. +# # Example: -# cache_store_log /var/log/squid/store.log +# cache_store_log stdio:/var/log/squid/store.log +# cache_store_log daemon:/var/log/squid/store.log #Default: # none @@ -2590,7 +4111,7 @@ maximum_object_size 153600 KB # them). We recommend you do NOT use this option. It is # better to keep these index files in each 'cache_dir' directory. #Default: -# none +# Store the journal inside its cache_dir # TAG: logfile_rotate # Specifies the number of logfile rotations to make when you @@ -2607,34 +4128,19 @@ maximum_object_size 153600 KB # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # -# Note, from Squid-3.1 this option has no effect on the cache.log, -# that log can be rotated separately by using debug_options +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. # -# Note2, for Debian/Linux the default of logfile_rotate is -# zero, since it includes external logfile-rotation methods. +# Note2, for Debian/Linux the default of logfile_rotate is +# zero, since it includes external logfile-rotation methods. #Default: # logfile_rotate 0 -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information Squid-specific log analyzers use. -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -#Default: -# log_ip_on_direct on - # TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. +# Path to Squid's icon configuration file. +# +# You shouldn't need to change this, but the default file contains +# examples and formatting information if you do. #Default: # mime_table /usr/share/squid/mime.conf @@ -2647,91 +4153,61 @@ maximum_object_size 153600 KB #Default: # log_mime_hdrs off -# TAG: useragent_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-useragent-log option -# -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# Note that "referer" is actually a misspelling of "referrer" -# however the misspelt version has been accepted into the HTTP RFCs -# and we accept both. -#Default: -# none - # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". #Default: # pid_filename /var/run/squid.pid -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -#Default: -# log_fqdn off - # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. #Default: -# client_netmask no_addr - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG define -# -# Logs the server-side requests. -# -# This is currently work in progress. -#Default: -# none +# Log full client IP address # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. +# logging. This protects your user's privacy and reduces log size. +# +# When investigating HIT/MISS or other caching behaviour you +# will need to disable this to see the full URL used by Squid. #Default: # strip_query_terms on # TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). +# Whether to write/send access_log records ASAP or accumulate them and +# then write/send them in larger chunks. Buffering may improve +# performance because it decreases the number of I/Os. However, +# buffering increases the delay before log records become available to +# the final recipient (e.g., a disk file or logging daemon) and, +# hence, increases the risk of log records loss. +# +# Note that even when buffered_logs are off, Squid may have to buffer +# records if it cannot write/send them immediately due to pending I/Os +# (e.g., the I/O writing the previous log record) or connectivity loss. +# +# Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off # TAG: netdb_filename -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option +# Where Squid stores it's netdb journal. +# When enabled this journal preserves netdb state between restarts. # -# A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/netdb.state +# netdb_filename stdio:/var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- # TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file and how often its rotated with "debug_options" +# Squid administrative logging file. +# +# This is where general information about Squid behavior goes. You can +# increase the amount of data logged to this file and how often it is +# rotated with "debug_options" #Default: # cache_log /var/log/squid/cache.log @@ -2742,14 +4218,14 @@ maximum_object_size 153600 KB # log file, so be careful. # # The magic word "ALL" sets debugging levels for all sections. -# We recommend normally running with "ALL,1". +# The default is to run with "ALL,1" to record important warnings. # # The rotate=N option can be used to keep more or less of these logs # than would otherwise be kept by logfile_rotate. # For most uses a single log should be enough to monitor current # events affecting Squid. #Default: -# debug_options ALL,1 +# Log all critical and important messages. # TAG: coredump_dir # By default Squid leaves core files in the directory from where @@ -2758,7 +4234,7 @@ maximum_object_size 153600 KB # and coredump files will be left there. # #Default: -# coredump_dir none +# Use the directory from where Squid was started. # # Leave coredumps in the first cache dir @@ -2769,24 +4245,17 @@ coredump_dir /var/spool/squid # TAG: ftp_user # If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something +# (and enable the use of picky FTP servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. -# Some ftp server also validate the email address is valid +# Some FTP server also validate the email address is valid # (for example perl.com). #Default: # ftp_user Squid@ -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -#Default: -# ftp_list_width 32 - # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. @@ -2822,13 +4291,21 @@ coredump_dir /var/spool/squid # and therefore, translation of the data portion of the segments # will never be needed. # -# Turning this OFF will prevent EPSV being attempted. -# WARNING: Doing so will convert Squid back to the old behavior with all -# the related problems with external NAT devices/layers. +# EPSV is often required to interoperate with FTP servers on IPv6 +# networks. On the other hand, it may break some IPv4 servers. +# +# By default, EPSV may try EPSV with any FTP server. To fine tune +# that decision, you may restrict EPSV to certain clients or servers +# using ACLs: # +# ftp_epsv allow|deny al1 acl2 ... +# +# WARNING: Disabling EPSV may cause problems with external NAT and IPv6. +# +# Only fast ACLs are supported. # Requires ftp_passive to be ON (default) for any effect. #Default: -# ftp_epsv on +# none # TAG: ftp_eprt # FTP Protocol extensions permit the use of a special "EPRT" command. @@ -2889,22 +4366,16 @@ coredump_dir /var/spool/squid # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Specify the location of the executable for the pinger process. #Default: # pinger_program /usr/lib/squid/pinger # TAG: pinger_enable -# Note: This option is only available if Squid is rebuilt with the -# --enable-icmp option -# # Control whether the pinger is active at run-time. # Enables turning ICMP pinger on and off with a simple # squid -k reconfigure. #Default: -# pinger_enable off +# pinger_enable on # OPTIONS FOR URL REWRITING # ----------------------------------------------------------------------------- @@ -2915,68 +4386,137 @@ coredump_dir /var/spool/squid # # For each requested URL, the rewriter will receive on line with the format # -# URL client_ip "/" fqdn user method [ kvpairs] +# [channel-ID ] URL [ extras] +# +# See url_rewrite_extras on how to send "extras" with optional values to +# the helper. +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK status=30N url="..." +# Redirect the URL to the one supplied in 'url='. +# 'status=' is optional and contains the status code to send +# the client in Squids HTTP response. It must be one of the +# HTTP redirect status codes: 301, 302, 303, 307, 308. +# When no status is given Squid will use 302. +# +# OK rewrite-url="..." +# Rewrite the URL to the one supplied in 'rewrite-url='. +# The new URL is fetched directly by Squid and returned to +# the client as the response to its request. # -# In the future, the rewriter interface will be extended with -# key=value pairs ("kvpairs" shown above). Rewriter programs -# should be prepared to receive and possibly ignore additional -# whitespace-separated tokens on each input line. +# OK +# When neither of url= and rewrite-url= are sent Squid does +# not change the URL. # -# And the rewriter may return a rewritten URL. The other components of -# the request line does not need to be returned (ignored if they are). +# ERR +# Do not change the URL. # -# The rewriter can also indicate that a client-side redirect should -# be performed to the new URL. This is done by prefixing the returned -# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. +# BH +# An internal error occurred in the helper, preventing +# a result being identified. The 'message=' key name is +# reserved for delivering a log message. +# +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# The TAG is treated as a regular annotation but persists across +# future requests on the client connection rather than just the +# current request. A helper may update the TAG during subsequent +# requests be returning a new kv-pair. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# WARNING: URL re-writing ability should be avoided whenever possible. +# Use the URL redirect form of response instead. +# +# Re-write creates a difference in the state held by the client +# and server. Possibly causing confusion when the server response +# contains snippets of its view state. Embeded URLs, response +# and content Location headers, etc. are not re-written by this +# interface. # # By default, a URL rewriter is not used. #Default: # none # TAG: url_rewrite_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -#Default: -# url_rewrite_children 5 - -# TAG: url_rewrite_concurrency +# The maximum number of redirector processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# # The number of requests each redirector helper can handle in # parallel. Defaults to 0 which indicates the redirector # is a old-style single threaded redirector. # # When this directive is set to a value >= 1 then the protocol # used to communicate with the helper is modified to include -# a request ID in front of the request/response. The request -# ID from the request must be echoed back with the response -# to that request. +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. #Default: -# url_rewrite_concurrency 0 +# url_rewrite_children 20 startup=0 idle=1 concurrency=0 # TAG: url_rewrite_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator this may -# not be a wanted effect of a redirector. -# +# To preserve same-origin security policies in browsers and +# prevent Host: header forgery by redirectors Squid rewrites +# any Host: header in redirected requests. +# +# If you are running an accelerator this may not be a wanted +# effect of a redirector. This directive enables you disable +# Host: alteration in reverse-proxy traffic. +# # WARNING: Entries are cached on the result of the URL rewriting # process, so be careful if you have domain-virtual hosts. +# +# WARNING: Squid and other software verifies the URL and Host +# are matching, so be careful not to relay through other proxies +# or inspecting firewalls with this disabled. #Default: # url_rewrite_host_header on # TAG: url_rewrite_access # If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. +# sent to the redirector processes. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: url_rewrite_bypass # When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' +# redirector if all the helpers are busy. If this is 'off' # and the redirector queue grows too large, Squid will exit # with a FATAL error and ask you to increase the number of # redirectors. You should only enable this if the redirectors @@ -2987,23 +4527,231 @@ coredump_dir /var/spool/squid #Default: # url_rewrite_bypass off -# OPTIONS FOR TUNING THE CACHE +# TAG: url_rewrite_extras +# Specifies a string to be append to request line format for the +# rewriter helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# OPTIONS FOR STORE ID # ----------------------------------------------------------------------------- -# TAG: cache -# A list of ACL elements which, if matched and denied, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. +# TAG: store_id_program +# Specify the location of the executable StoreID helper to use. +# Since they can perform almost any function there isn't one included. # -# You must use the words 'allow' or 'deny' to indicate whether items -# matching the ACL should be allowed or denied into the cache. +# For each requested URL, the helper will receive one line with the format # -# Default is to allow all to be cached. +# [channel-ID ] URL [ extras] +# +# +# After processing the request the helper must reply using the following format: +# +# [channel-ID ] result [ kv-pairs] +# +# The result code can be: +# +# OK store-id="..." +# Use the StoreID supplied in 'store-id='. +# +# ERR +# The default is to use HTTP request URL as the store ID. +# +# BH +# An internal error occured in the helper, preventing +# a result being identified. +# +# In addition to the above kv-pairs Squid also understands the following +# optional kv-pairs received from URL rewriters: +# clt_conn_tag=TAG +# Associates a TAG with the client TCP connection. +# Please see url_rewrite_program related documentation for this +# kv-pair +# +# Helper programs should be prepared to receive and possibly ignore +# additional whitespace-separated tokens on each input line. +# +# When using the concurrency= option the protocol is changed by +# introducing a query channel tag in front of the request/response. +# The query channel tag is a number between 0 and concurrency-1. +# This value must be echoed back unchanged to Squid as the first part +# of the response relating to its request. +# +# NOTE: when using StoreID refresh_pattern will apply to the StoreID +# returned from the helper and not the URL. +# +# WARNING: Wrong StoreID value returned by a careless helper may result +# in the wrong cached response returned to the user. +# +# By default, a StoreID helper is not used. +#Default: +# none + +# TAG: store_id_extras +# Specifies a string to be append to request line format for the +# StoreId helper. "Quoted" format values may contain spaces and +# logformat %macros. In theory, any logformat %macro can be used. +# In practice, a %macro expands as a dash (-) if the helper request is +# sent before the required macro information is available to Squid. +#Default: +# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp" + +# TAG: store_id_children +# The maximum number of StoreID helper processes to spawn. If you limit +# it too few Squid will have to wait for them to process a backlog of +# requests, slowing it down. If you allow too many they will use RAM +# and other system resources noticably. +# +# The startup= and idle= options allow some measure of skew in your +# tuning. +# +# startup= +# +# Sets a minimum of how many processes are to be spawned when Squid +# starts or reconfigures. When set to zero the first request will +# cause spawning of the first child process to handle it. +# +# Starting too few will cause an initial slowdown in traffic as Squid +# attempts to simultaneously spawn enough processes to cope. +# +# idle= +# +# Sets a minimum of how many processes Squid is to try and keep available +# at all times. When traffic begins to rise above what the existing +# processes can handle this many more will be spawned up to the maximum +# configured. A minimum setting of 1 is required. +# +# concurrency= +# +# The number of requests each storeID helper can handle in +# parallel. Defaults to 0 which indicates the helper +# is a old-style single threaded program. +# +# When this directive is set to a value >= 1 then the protocol +# used to communicate with the helper is modified to include +# an ID in front of the request/response. The ID from the request +# must be echoed back with the response to that request. +#Default: +# store_id_children 20 startup=0 idle=1 concurrency=0 + +# TAG: store_id_access +# If defined, this access list specifies which requests are +# sent to the StoreID processes. By default all requests +# are sent. # # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow, unless rules exist in squid.conf. + +# TAG: store_id_bypass +# When this is 'on', a request will not go through the +# helper if all helpers are busy. If this is 'off' +# and the helper queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# helpers. You should only enable this if the helperss +# are not critical to your caching system. If you use +# helpers for critical caching components, and you enable this +# option, users may not get objects from cache. +#Default: +# store_id_bypass on + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: cache +# Requests denied by this directive will not be served from the cache +# and their responses will not be stored in the cache. This directive +# has no effect on other transactions and on already cached responses. +# +# This clause supports both fast and slow acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# This and the two other similar caching directives listed below are +# checked at different transaction processing stages, have different +# access to response information, affect different cache operations, +# and differ in slow ACLs support: +# +# * cache: Checked before Squid makes a hit/miss determination. +# No access to reply information! +# Denies both serving a hit and storing a miss. +# Supports both fast and slow ACLs. +# * send_hit: Checked after a hit was detected. +# Has access to reply (hit) information. +# Denies serving a hit only. +# Supports fast ACLs only. +# * store_miss: Checked before storing a cachable miss. +# Has access to reply (miss) information. +# Denies storing a miss only. +# Supports fast ACLs only. +# +# If you are not sure which of the three directives to use, apply the +# following decision logic: +# +# * If your ACL(s) are of slow type _and_ need response info, redesign. +# Squid does not support that particular combination at this time. +# Otherwise: +# * If your directive ACL(s) are of slow type, use "cache"; and/or +# * if your directive ACL(s) need no response info, use "cache". +# Otherwise: +# * If you do not want the response cached, use store_miss; and/or +# * if you do not want a hit on a cached response, use send_hit. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: send_hit +# Responses denied by this directive will not be served from the cache +# (but may still be cached, see store_miss). This directive has no +# effect on the responses it allows and on the cached objects. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. +# +# Unlike the "cache" directive, send_hit only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# For example: +# +# # apply custom Store ID mapping to some URLs +# acl MapMe dstdomain .c.example.com +# store_id_program ... +# store_id_access allow MapMe +# +# # but prevent caching of special responses +# # such as 302 redirects that cause StoreID loops +# acl Ordinary http_status 200-299 +# store_miss deny MapMe !Ordinary +# +# # and do not serve any previously stored special responses +# # from the cache (in case they were already cached before +# # the above store_miss rule was in effect). +# send_hit deny MapMe !Ordinary +#Default: +# By default, this directive is unused and has no effect. + +# TAG: store_miss +# Responses denied by this directive will not be cached (but may still +# be served from the cache, see send_hit). This directive has no +# effect on the responses it allows and on the already cached responses. +# +# Please see the "cache" directive for a summary of differences among +# store_miss, send_hit, and cache directives. See the +# send_hit directive for a usage example. +# +# Unlike the "cache" directive, store_miss only supports fast acl +# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +#Default: +# By default, this directive is unused and has no effect. + +# TAG: max_stale time-units +# This option puts an upper limit on how stale content Squid +# will serve from the cache if cache validation fails. +# Can be overriden by the refresh_pattern max-stale option. +#Default: +# max_stale 1 week # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] @@ -3028,12 +4776,13 @@ coredump_dir /var/spool/squid # override-lastmod # reload-into-ims # ignore-reload -# ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth +# max-stale=NN # refresh-ims +# store-stale # # override-expire enforces min age even if the server # sent an explicit expiry time (e.g., with the @@ -3049,22 +4798,18 @@ coredump_dir /var/spool/squid # override-lastmod enforces min age even on objects # that were modified recently. # -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. +# reload-into-ims changes a client no-cache or ``reload'' +# request for a cached entry into a conditional request using +# If-Modified-Since and/or If-None-Match headers, provided the +# cached entry has a Last-Modified and/or a strong ETag header. +# Doing this VIOLATES the HTTP standard. Enabling this feature +# could make you liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # -# ignore-no-cache ignores any ``Pragma: no-cache'' and -# ``Cache-control: no-cache'' headers received from a server. -# The HTTP RFC never allows the use of this (Pragma) header -# from a server, only a client, though plenty of servers -# send it anyway. -# # ignore-no-store ignores any ``Cache-control: no-store'' # headers received from a server. Doing this VIOLATES # the HTTP standard. Enabling this feature could make you @@ -3091,9 +4836,19 @@ coredump_dir /var/spool/squid # ensures that the client will receive an updated version # if one is available. # +# store-stale stores responses even if they don't have explicit +# freshness or a validator (i.e., Last-Modified or an ETag) +# present, or if they're already stale. By default, Squid will +# not cache such responses because they usually can't be +# reused. Note that such responses will be stale by default. +# +# max-stale=NN provide a maximum staleness factor. Squid won't +# serve objects more stale than this even if it failed to +# validate the object. Default: use the max_stale global limit. +# # Basically a cached object is: # -# FRESH if expires < now, else STALE +# FRESH if expire > now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min @@ -3109,7 +4864,9 @@ coredump_dir /var/spool/squid # # +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -3137,7 +4894,7 @@ refresh_pattern . 0 20% 4320 # downloads. # # When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until +# quick_abort values to the amount of data transferred until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, @@ -3195,44 +4952,68 @@ refresh_pattern . 0 20% 4320 #Default: # negative_dns_ttl 1 minutes -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit Squid forwards the Range request as it is and the result -# is NOT cached. -# +# TAG: range_offset_limit size [acl acl...] +# usage: (size) [units] [[!]aclname] +# +# Sets an upper limit on how far (number of bytes) into the file +# a Range request may be to cause Squid to prefetch the whole file. +# If beyond this limit, Squid forwards the Range request as it is and +# the result is NOT cached. +# # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. -# -# A value of 0 causes Squid to never fetch more than the +# +# Multiple range_offset_limit lines may be specified, and they will +# be searched from top to bottom on each request until a match is found. +# The first match found will be used. If no line matches a request, the +# default limit of 0 bytes will be used. +# +# 'size' is the limit specified as a number of units. +# +# 'units' specifies whether to use bytes, KB, MB, etc. +# If no units are specified bytes are assumed. +# +# A size of 0 causes Squid to never fetch more than the # client requested. (default) -# -# A value of -1 causes Squid to always fetch the object from the +# +# A size of 'none' causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) -# -# NP: Using -1 here will override any quick_abort settings that may -# otherwise apply to the range request. The range request will +# +# 'aclname' is the name of a defined ACL. +# +# NP: Using 'none' as the byte value here will override any quick_abort settings +# that may otherwise apply to the range request. The range request will # be fully fetched from start to finish regardless of the client # actions. This affects bandwidth usage. #Default: -# range_offset_limit 0 KB +# none # TAG: minimum_expiry_time (seconds) # The minimum caching time according to (Expires - Date) -# Headers Squid honors if the object can't be revalidated -# defaults to 60 seconds. In reverse proxy environments it -# might be desirable to honor shorter object lifetimes. It -# is most likely better to make your server return a -# meaningful Last-Modified header however. In ESI environments -# where page fragments often have short lifetimes, this will -# often be best set to 0. +# headers Squid honors if the object can't be revalidated. +# The default is 60 seconds. +# +# In reverse proxy environments it might be desirable to honor +# shorter object lifetimes. It is most likely better to make +# your server return a meaningful Last-Modified header however. +# +# In ESI environments where page fragments often have short +# lifetimes, this will often be best set to 0. #Default: # minimum_expiry_time 60 seconds -# TAG: store_avg_object_size (kbytes) +# TAG: store_avg_object_size (bytes) # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. +# +# This is used to pre-seed the cache index memory allocation to +# reduce expensive reallocate operations while handling clients +# traffic. Too-large values may result in memory allocation during +# peak traffic, too-small values will result in wasted memory. +# +# Check the cache manager 'info' report metrics for the real +# object sizes seen by your Squid before tuning this. #Default: # store_avg_object_size 13 KB @@ -3271,8 +5052,11 @@ refresh_pattern . 0 20% 4320 # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. +# +# See also client_request_buffer_max_size for an alternative +# limitation on client uploads which can be configured. #Default: -# request_body_max_size 0 KB +# No limit. # TAG: client_request_buffer_max_size (bytes) # This specifies the maximum buffer size of a client request. @@ -3281,29 +5065,6 @@ refresh_pattern . 0 20% 4320 #Default: # client_request_buffer_max_size 512 KB -# TAG: chunked_request_body_max_size (bytes) -# A broken or confused HTTP/1.1 client may send a chunked HTTP -# request to Squid. Squid does not have full support for that -# feature yet. To cope with such requests, Squid buffers the -# entire request and then dechunks request body to create a -# plain HTTP/1.0 request with a known content length. The plain -# request is then used by the rest of Squid code as usual. -# -# The option value specifies the maximum size of the buffer used -# to hold the request before the conversion. If the chunked -# request size exceeds the specified limit, the conversion -# fails, and the client receives an "unsupported request" error, -# as if dechunking was disabled. -# -# Dechunking is enabled by default. To disable conversion of -# chunked requests, set the maximum to zero. -# -# Request dechunking feature and this option in particular are a -# temporary hack. When chunking requests and responses are fully -# supported, there will be no need to buffer a chunked request. -#Default: -# chunked_request_body_max_size 64 KB - # TAG: broken_posts # A list of ACL elements which, if matched, causes Squid to send # an extra CRLF pair after the body of a PUT/POST request. @@ -3325,15 +5086,15 @@ refresh_pattern . 0 20% 4320 # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #Default: -# none +# Obey RFC 2616. -# TAG: icap_uses_indirect_client on|off +# TAG: adaptation_uses_indirect_client on|off # Controls whether the indirect client IP address (instead of the direct # client IP address) is passed to adaptation services. # # See also: follow_x_forwarded_for adaptation_send_client_ip #Default: -# icap_uses_indirect_client on +# adaptation_uses_indirect_client on # TAG: via on|off # If set (default), Squid will include a Via header in requests and @@ -3395,64 +5156,62 @@ refresh_pattern . 0 20% 4320 # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# This option only applies to request headers, i.e., from the -# client to the server. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# more configurable. A list of ACLs for each header name allows +# removal of specific header fields under specific conditions. +# +# This option only applies to outgoing HTTP request headers (i.e., +# headers sent by Squid to the next HTTP hop such as a cache peer +# or an origin server). The option has no effect during cache hit +# detection. The equivalent adaptation vectoring point in ICAP +# terminology is post-cache REQMOD. +# +# The option is applied to individual outgoing request header +# fields. For each request header field F, Squid uses the first +# qualifying sets of request_header_access rules: +# +# 1. Rules with header_name equal to F's name. +# 2. Rules with header_name 'Other', provided F's name is not +# on the hard-coded list of commonly used HTTP header names. +# 3. Rules with header_name 'All'. +# +# Within that qualifying rule set, rule ACLs are checked as usual. +# If ACLs of an "allow" rule match, the header field is allowed to +# go through as is. If ACLs of a "deny" rule match, the header is +# removed and request_header_replace is then checked to identify +# if the removed header has a replacement. If no rules within the +# set have matching ACLs, the header field is left as is. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # # request_header_access From deny all # request_header_access Referer deny all -# request_header_access Server deny all # request_header_access User-Agent deny all -# request_header_access WWW-Authenticate deny all -# request_header_access Link deny all # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # -# request_header_access Allow allow all # request_header_access Authorization allow all -# request_header_access WWW-Authenticate allow all # request_header_access Proxy-Authorization allow all -# request_header_access Proxy-Authenticate allow all # request_header_access Cache-Control allow all -# request_header_access Content-Encoding allow all # request_header_access Content-Length allow all # request_header_access Content-Type allow all # request_header_access Date allow all -# request_header_access Expires allow all # request_header_access Host allow all # request_header_access If-Modified-Since allow all -# request_header_access Last-Modified allow all -# request_header_access Location allow all # request_header_access Pragma allow all # request_header_access Accept allow all # request_header_access Accept-Charset allow all # request_header_access Accept-Encoding allow all # request_header_access Accept-Language allow all -# request_header_access Content-Language allow all -# request_header_access Mime-Version allow all -# request_header_access Retry-After allow all -# request_header_access Title allow all # request_header_access Connection allow all # request_header_access All deny all # -# although many of those are HTTP reply headers, and so should be -# controlled with the reply_header_access directive. +# HTTP reply headers are controlled with the reply_header_access directive. # -# By default, all headers are allowed (no anonymizing is -# performed). +# By default, all headers are allowed (no anonymizing is performed). #Default: -# none +# No limits. # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -3465,25 +5224,13 @@ refresh_pattern . 0 20% 4320 # server to the client. # # This is the same as request_header_access, but in the other -# direction. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. +# direction. Please see request_header_access for detailed +# documentation. # # For example, to achieve the same behavior as the old # 'http_anonymizer standard' option, you should use: # -# reply_header_access From deny all -# reply_header_access Referer deny all # reply_header_access Server deny all -# reply_header_access User-Agent deny all # reply_header_access WWW-Authenticate deny all # reply_header_access Link deny all # @@ -3491,9 +5238,7 @@ refresh_pattern . 0 20% 4320 # you should use: # # reply_header_access Allow allow all -# reply_header_access Authorization allow all # reply_header_access WWW-Authenticate allow all -# reply_header_access Proxy-Authorization allow all # reply_header_access Proxy-Authenticate allow all # reply_header_access Cache-Control allow all # reply_header_access Content-Encoding allow all @@ -3501,29 +5246,22 @@ refresh_pattern . 0 20% 4320 # reply_header_access Content-Type allow all # reply_header_access Date allow all # reply_header_access Expires allow all -# reply_header_access Host allow all -# reply_header_access If-Modified-Since allow all # reply_header_access Last-Modified allow all # reply_header_access Location allow all # reply_header_access Pragma allow all -# reply_header_access Accept allow all -# reply_header_access Accept-Charset allow all -# reply_header_access Accept-Encoding allow all -# reply_header_access Accept-Language allow all # reply_header_access Content-Language allow all -# reply_header_access Mime-Version allow all # reply_header_access Retry-After allow all # reply_header_access Title allow all +# reply_header_access Content-Disposition allow all # reply_header_access Connection allow all # reply_header_access All deny all # -# although the HTTP request headers won't be usefully controlled -# by this directive -- see request_header_access for details. +# HTTP request headers are controlled with the request_header_access directive. # # By default, all headers are allowed (no anonymizing is # performed). #Default: -# none +# No limits. # TAG: request_header_replace # Usage: request_header_replace header_name message @@ -3531,8 +5269,7 @@ refresh_pattern . 0 20% 4320 # # This option allows you to change the contents of headers # denied with request_header_access above, by replacing them -# with some fixed string. This replaces the old fake_user_agent -# option. +# with some fixed string. # # This only applies to request headers, not reply headers. # @@ -3554,6 +5291,57 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: request_header_add +# Usage: request_header_add field-name field-value acl1 [acl2] ... +# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all +# +# This option adds header fields to outgoing HTTP requests (i.e., +# request headers sent by Squid to the next HTTP hop such as a +# cache peer or an origin server). The option has no effect during +# cache hit detection. The equivalent adaptation vectoring point +# in ICAP terminology is post-cache REQMOD. +# +# Field-name is a token specifying an HTTP header name. If a +# standard HTTP header name is used, Squid does not check whether +# the new header conflicts with any existing headers or violates +# HTTP rules. If the request to be modified already contains a +# field with the same name, the old field is preserved but the +# header field values are not merged. +# +# Field-value is either a token or a quoted string. If quoted +# string format is used, then the surrounding quotes are removed +# while escape sequences and %macros are processed. +# +# In theory, all of the logformat codes can be used as %macros. +# However, unlike logging (which happens at the very end of +# transaction lifetime), the transaction may not yet have enough +# information to expand a macro when the new header value is needed. +# And some information may already be available to Squid but not yet +# committed where the macro expansion code can access it (report +# such instances!). The macro will be expanded into a single dash +# ('-') in such cases. Not all macros have been tested. +# +# One or more Squid ACLs may be specified to restrict header +# injection to matching requests. As always in squid.conf, all +# ACLs in an option ACL list must be satisfied for the insertion +# to happen. The request_header_add option supports fast ACLs +# only. +#Default: +# none + +# TAG: note +# This option used to log custom information about the master +# transaction. For example, an admin may configure Squid to log +# which "user group" the transaction belongs to, where "user group" +# will be determined based on a set of ACLs and not [just] +# authentication information. +# Values of key/value pairs can be logged using %{key}note macros: +# +# note key value acl ... +# logformat myFormat ... %{key}note ... +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -3569,15 +5357,32 @@ refresh_pattern . 0 20% 4320 #Default: # relaxed_header_parser on -# TAG: ignore_expect_100 on|off -# This option makes Squid ignore any Expect: 100-continue header present -# in the request. RFC 2616 requires that Squid being unable to satisfy -# the response expectation MUST return a 417 error. -# -# Note: Enabling this is a HTTP protocol violation, but some clients may -# not handle it well.. -#Default: -# ignore_expect_100 off +# TAG: collapsed_forwarding (on|off) +# When enabled, instead of forwarding each concurrent request for +# the same URL, Squid just sends the first of them. The other, so +# called "collapsed" requests, wait for the response to the first +# request and, if it happens to be cachable, use that response. +# Here, "concurrent requests" means "received after the first +# request headers were parsed and before the corresponding response +# headers were parsed". +# +# This feature is disabled by default: enabling collapsed +# forwarding needlessly delays forwarding requests that look +# cachable (when they are collapsed) but then need to be forwarded +# individually anyway because they end up being for uncachable +# content. However, in some cases, such as acceleration of highly +# cachable content with periodic or grouped expiration times, the +# gains from collapsing [large volumes of simultaneous refresh +# requests] outweigh losses from such delays. +# +# Squid collapses two kinds of requests: regular client requests +# received on one of the listening ports and internal "cache +# revalidation" requests which are triggered by those regular +# requests hitting a stale cached object. Revalidation collapsing +# is currently disabled for Squid instances containing SMP-aware +# disk or memory caches and for Vary-controlled cached objects. +#Default: +# collapsed_forwarding off # TIMEOUTS # ----------------------------------------------------------------------------- @@ -3604,25 +5409,46 @@ refresh_pattern . 0 20% 4320 # peer_connect_timeout 30 seconds # TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this +# Applied on peer server connections. +# +# After each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. +# the request is aborted and logged with ERR_READ_TIMEOUT. +# +# The default is 15 minutes. #Default: # read_timeout 15 minutes +# TAG: write_timeout time-units +# This timeout is tracked for all connections that have data +# available for writing and are waiting for the socket to become +# ready. After each successful write, the timeout is extended by +# the configured amount. If Squid has data to write but the +# connection is not ready for the configured duration, the +# transaction associated with the connection is terminated. The +# default is 15 minutes. +#Default: +# write_timeout 15 minutes + # TAG: request_timeout # How long to wait for complete HTTP request headers after initial # connection establishment. #Default: # request_timeout 5 minutes -# TAG: persistent_request_timeout +# TAG: client_idle_pconn_timeout # How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. +# client connection after the previous request completes. +#Default: +# client_idle_pconn_timeout 2 minutes + +# TAG: ftp_client_idle_timeout +# How long to wait for an FTP request on a connection to Squid ftp_port. +# Many FTP clients do not deal with idle connection closures well, +# necessitating a longer default timeout than client_idle_pconn_timeout +# used for incoming HTTP requests. #Default: -# persistent_request_timeout 2 minutes +# ftp_client_idle_timeout 30 minutes # TAG: client_lifetime time-units # The maximum amount of time a client (browser) is allowed to @@ -3658,11 +5484,11 @@ refresh_pattern . 0 20% 4320 #Default: # half_closed_clients off -# TAG: pconn_timeout +# TAG: server_idle_pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. #Default: -# pconn_timeout 1 minute +# server_idle_pconn_timeout 1 minute # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. @@ -3687,15 +5513,15 @@ refresh_pattern . 0 20% 4320 # TAG: cache_mgr # Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." +# mail if the cache dies. The default is "webmaster". #Default: # cache_mgr webmaster # TAG: mail_from # From: email-address for mail sent when the cache dies. -# The default is to use 'appname@unique_hostname'. -# Default appname value is "squid", can be changed into -# src/globals.h before building squid. +# The default is to use 'squid@unique_hostname'. +# +# See also: unique_hostname directive. #Default: # none @@ -3734,7 +5560,7 @@ refresh_pattern . 0 20% 4320 # Our preference is for administrators to configure a secure # user account for squid with UID/GID matching system policies. #Default: -# none +# Use system group memberships of the cache_effective_user account # TAG: httpd_suppress_version_string on|off # Suppress Squid version string info in HTTP headers and HTML error pages. @@ -3748,14 +5574,14 @@ refresh_pattern . 0 20% 4320 # get errors about IP-forwarding you must set them to have individual # names with this setting. #Default: -# visible_hostname localhost +# Automatically detect the system host name # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. #Default: -# none +# Copy the value from visible_hostname # TAG: hostname_aliases # A list of other DNS names your cache has. @@ -3794,33 +5620,32 @@ refresh_pattern . 0 20% 4320 # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. +# This is how frequently to send cache announcements. # # To enable announcing your cache, just set an announce period. # # Example: # announce_period 1 day #Default: -# announce_period 0 +# Announcement messages disabled. # TAG: announce_host +# Set the hostname where announce registration messages will be sent. +# +# See also announce_port and announce_file #Default: # announce_host tracker.ircache.net # TAG: announce_file +# The contents of this file will be included in the announce +# registration messages. #Default: # none # TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. +# Set the port where announce registration messages will be sent. # -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. +# See also announce_host and announce_file #Default: # announce_port 3131 @@ -3833,10 +5658,12 @@ refresh_pattern . 0 20% 4320 # a farm of surrogates may all perform the same tasks, they may share # an identification token. #Default: -# httpd_accel_surrogate_id unset-id +# visible_hostname is used if no specific ID is set. # TAG: http_accel_surrogate_remote on|off -# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. +# Remote surrogates (such as those in a CDN) honour the header +# "Surrogate-Control: no-store-remote". +# # Set this to on to have squid behave as a remote surrogate. #Default: # http_accel_surrogate_remote off @@ -3855,6 +5682,9 @@ refresh_pattern . 0 20% 4320 # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. +# +# See also delay_parameters, delay_class, delay_access for pool +# configuration details. #Default: # delay_pools 0 @@ -3907,6 +5737,11 @@ refresh_pattern . 0 20% 4320 # # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +# See also delay_parameters and delay_access. #Default: # none @@ -3921,14 +5756,16 @@ refresh_pattern . 0 20% 4320 # For example, if you want some_big_clients in delay # pool 1 and lotsa_little_clients in delay pool 2: # -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# delay_access 3 allow authenticated_clients +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# delay_access 3 allow authenticated_clients +# +# See also delay_parameters and delay_class. +# #Default: -# none +# Deny using the pool, unless allow rules exist in squid.conf for the pool. # TAG: delay_parameters # This defines the parameters for a delay pool. Each delay pool has @@ -3936,23 +5773,23 @@ refresh_pattern . 0 20% 4320 # description of delay_class. # # For a class 1 delay pool, the syntax is: -# delay_pools pool 1 +# delay_class pool 1 # delay_parameters pool aggregate # # For a class 2 delay pool: -# delay_pools pool 2 +# delay_class pool 2 # delay_parameters pool aggregate individual # # For a class 3 delay pool: -# delay_pools pool 3 +# delay_class pool 3 # delay_parameters pool aggregate network individual # # For a class 4 delay pool: -# delay_pools pool 4 +# delay_class pool 4 # delay_parameters pool aggregate network individual user # # For a class 5 delay pool: -# delay_pools pool 5 +# delay_class pool 5 # delay_parameters pool tagrate # # The option variables are: @@ -3988,11 +5825,11 @@ refresh_pattern . 0 20% 4320 # above example, and is being used to strictly limit each host to 64Kbit/sec # (plus overheads), with no overall limit, the line is: # -# delay_parameters 1 -1/-1 8000/8000 +# delay_parameters 1 none 8000/8000 # -# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. +# Note that 8 x 8K Byte/sec -> 64K bit/sec. # -# Note that the figure -1 is used to represent "unlimited". +# Note that the word 'none' is used to represent no limit. # # # And, if delay pool number 2 is a class 3 delay pool as in the above @@ -4005,15 +5842,19 @@ refresh_pattern . 0 20% 4320 # # delay_parameters 2 32000/32000 8000/8000 600/8000 # -# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -# 8 x 8000 KByte/sec -> 64Kbit/sec. -# 8 x 600 Byte/sec -> 4800bit/sec. +# Note that 8 x 32K Byte/sec -> 256K bit/sec. +# 8 x 8K Byte/sec -> 64K bit/sec. +# 8 x 600 Byte/sec -> 4800 bit/sec. # # # Finally, for a class 4 delay pool as in the example - each user will # be limited to 128Kbits/sec no matter how many workstations they are logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +# +# +# See also delay_class and delay_access. +# #Default: # none @@ -4026,6 +5867,94 @@ refresh_pattern . 0 20% 4320 #Default: # delay_initial_bucket_level 50 +# CLIENT DELAY POOL PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: client_delay_pools +# This option specifies the number of client delay pools used. It must +# preceed other client_delay_* options. +# +# Example: +# client_delay_pools 2 +# +# See also client_delay_parameters and client_delay_access. +#Default: +# client_delay_pools 0 + +# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) +# This option determines the initial bucket size as a percentage of +# max_bucket_size from client_delay_parameters. Buckets are created +# at the time of the "first" connection from the matching IP. Idle +# buckets are periodically deleted up. +# +# You can specify more than 100 percent but note that such "oversized" +# buckets are not refilled until their size goes down to max_bucket_size +# from client_delay_parameters. +# +# Example: +# client_delay_initial_bucket_level 50 +#Default: +# client_delay_initial_bucket_level 50 + +# TAG: client_delay_parameters +# +# This option configures client-side bandwidth limits using the +# following format: +# +# client_delay_parameters pool speed_limit max_bucket_size +# +# pool is an integer ID used for client_delay_access matching. +# +# speed_limit is bytes added to the bucket per second. +# +# max_bucket_size is the maximum size of a bucket, enforced after any +# speed_limit additions. +# +# Please see the delay_parameters option for more information and +# examples. +# +# Example: +# client_delay_parameters 1 1024 2048 +# client_delay_parameters 2 51200 16384 +# +# See also client_delay_access. +# +#Default: +# none + +# TAG: client_delay_access +# This option determines the client-side delay pool for the +# request: +# +# client_delay_access pool_ID allow|deny acl_name +# +# All client_delay_access options are checked in their pool ID +# order, starting with pool 1. The first checked pool with allowed +# request is selected for the request. If no ACL matches or there +# are no client_delay_access options, the request bandwidth is not +# limited. +# +# The ACL-selected pool is then used to find the +# client_delay_parameters for the request. Client-side pools are +# not used to aggregate clients. Clients are always aggregated +# based on their source IP addresses (one bucket per source IP). +# +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# Additionally, only the client TCP connection details are available. +# ACLs testing HTTP properties will not work. +# +# Please see delay_access for more examples. +# +# Example: +# client_delay_access 1 allow low_rate_network +# client_delay_access 2 allow vips_network +# +# +# See also client_delay_parameters and client_delay_pools. +#Default: +# Deny use of the pool, unless allow rules exist in squid.conf for the pool. + # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS # ----------------------------------------------------------------------------- @@ -4040,7 +5969,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# wccp_router any_addr +# WCCP disabled. # TAG: wccp2_router # Use this option to define your WCCP ``home'' router for @@ -4053,7 +5982,7 @@ refresh_pattern . 0 20% 4320 # only one of the two may be used at the same time and defines # which version of WCCP to use. #Default: -# none +# WCCPv2 disabled. # TAG: wccp_version # This directive is only relevant if you need to set up WCCP(v1) @@ -4110,7 +6039,7 @@ refresh_pattern . 0 20% 4320 # Valid values are as follows: # # hash - Hash assignment -# mask - Mask assignment +# mask - Mask assignment # # As a general rule, cisco routers support the hash assignment method # and cisco switches support the mask assignment method. @@ -4138,7 +6067,7 @@ refresh_pattern . 0 20% 4320 # # fleshed out with subsequent options. # wccp2_service standard 0 password=foo #Default: -# wccp2_service standard 0 +# Use the 'web-cache' standard service. # TAG: wccp2_service_info # Dynamic WCCPv2 services require further information to define the @@ -4175,8 +6104,12 @@ refresh_pattern . 0 20% 4320 # wccp2_weight 10000 # TAG: wccp_address +# Use this option if you require WCCPv2 to use a specific +# interface address. +# +# The default behavior is to not bind to any specific address. #Default: -# wccp_address 0.0.0.0 +# Address selected by the operating system. # TAG: wccp2_address # Use this option if you require WCCP to use a specific @@ -4184,7 +6117,7 @@ refresh_pattern . 0 20% 4320 # # The default behavior is to not bind to any specific address. #Default: -# wccp2_address 0.0.0.0 +# Address selected by the operating system. # PERSISTENT CONNECTION HANDLING # ----------------------------------------------------------------------------- @@ -4192,14 +6125,16 @@ refresh_pattern . 0 20% 4320 # Also see "pconn_timeout" in the TIMEOUTS section # TAG: client_persistent_connections +# Persistent connection support for clients. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with clients. #Default: # client_persistent_connections on # TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. +# Persistent connection support for servers. +# Squid uses persistent connections (when allowed). You can use +# this option to disable persistent connections with servers. #Default: # server_persistent_connections on @@ -4275,7 +6210,7 @@ refresh_pattern . 0 20% 4320 # Example: # snmp_port 3401 #Default: -# snmp_port 0 +# SNMP disabled. # TAG: snmp_access # Allowing or denying access to the SNMP port. @@ -4287,26 +6222,29 @@ refresh_pattern . 0 20% 4320 # # This clause only supports fast acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# #Example: # snmp_access allow snmppublic localhost # snmp_access deny all #Default: -# snmp_access deny all +# Deny, unless rules exist in squid.conf. # TAG: snmp_incoming_address -#Default: -# snmp_incoming_address any_addr - -# TAG: snmp_outgoing_address # Just like 'udp_incoming_address', but for the SNMP port. # # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. # # The default snmp_incoming_address is to listen on all # available network interfaces. +#Default: +# Accept SNMP packets from all machine interfaces. + +# TAG: snmp_outgoing_address +# Just like 'udp_outgoing_address', but for the SNMP port. +# +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. # # If snmp_outgoing_address is not set it will use the same socket # as snmp_incoming_address. Only change this if you want to have @@ -4314,9 +6252,9 @@ refresh_pattern . 0 20% 4320 # listens for SNMP queries. # # NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. +# the same value since they both use the same port. #Default: -# snmp_outgoing_address no_addr +# Use snmp_incoming_address or an address selected by the operating system. # ICP OPTIONS # ----------------------------------------------------------------------------- @@ -4324,22 +6262,21 @@ refresh_pattern . 0 20% 4320 # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. The standard UDP port for ICP is 3130. -# Default is disabled (0). # # Example: # icp_port 3130 #Default: -# icp_port 0 +# ICP disabled. # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. To turn it on you want to set it to -# 4827. By default it is set to "0" (disabled). +# 4827. # # Example: # htcp_port 4827 #Default: -# htcp_port 0 +# HTCP disabled. # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish @@ -4365,7 +6302,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_incoming_address any_addr +# Accept packets from all machine interfaces. # TAG: udp_outgoing_address # udp_outgoing_address is used for UDP packets sent out to other @@ -4386,7 +6323,7 @@ refresh_pattern . 0 20% 4320 # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use the same port. #Default: -# udp_outgoing_address no_addr +# Use udp_incoming_address or an address selected by the operating system. # TAG: icp_hit_stale on|off # If you want to return ICP_HIT for stale cache objects, set this @@ -4405,21 +6342,33 @@ refresh_pattern . 0 20% 4320 #Default: # minimum_direct_hops 4 -# TAG: minimum_direct_rtt +# TAG: minimum_direct_rtt (msec) # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. #Default: # minimum_direct_rtt 400 # TAG: netdb_low +# The low water mark for the ICMP measurement database. +# +# Note: high watermark controlled by netdb_high directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_low 900 # TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. +# The high water mark for the ICMP measurement database. +# +# Note: low watermark controlled by netdb_low directive. +# +# These watermarks are counts, not percents. The defaults are +# (low) 900 and (high) 1000. When the high water mark is +# reached, database entries will be deleted until the low +# mark is reached. #Default: # netdb_high 1000 @@ -4462,7 +6411,7 @@ refresh_pattern . 0 20% 4320 # # icp_query_timeout 2000 #Default: -# icp_query_timeout 0 +# Dynamic detection. # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But @@ -4528,7 +6477,7 @@ refresh_pattern . 0 20% 4320 # Do not enable this option unless you are are absolutely # certain you understand what you are doing. #Default: -# mcast_miss_addr no_addr +# disabled. # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the @@ -4618,7 +6567,7 @@ refresh_pattern . 0 20% 4320 # The squid developers working on translations are happy to supply drop-in # translated error files in exchange for any new language contributions. #Default: -# none +# Send error pages in the clients preferred language # TAG: error_default_language # Set the default language which squid will send error pages in @@ -4632,7 +6581,7 @@ refresh_pattern . 0 20% 4320 # translations for any language see the squid wiki for details. # http://wiki.squid-cache.org/Translations #Default: -# none +# Generate English language pages. # TAG: error_log_languages # Log to cache.log what languages users are attempting to @@ -4687,17 +6636,47 @@ refresh_pattern . 0 20% 4320 # the first authentication related acl encountered # - When none of the http_access lines matches. It's then the last # acl processed on the last http_access line. +# - When the decision to deny access was made by an adaptation service, +# the acl name is the corresponding eCAP or ICAP service_name. # # NP: If providing your own custom error pages with error_directory # you may also specify them by your custom file name: # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # -# Alternatively you can specify an error URL. The browsers will -# get redirected (302 or 307) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. +# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx +# may be specified by prefixing the file name with the code and a colon. +# e.g. 404:ERR_CUSTOM_ACCESS_DENIED # # Alternatively you can tell Squid to reset the TCP connection # by specifying TCP_RESET. +# +# Or you can specify an error URL or URL pattern. The browsers will +# get redirected to the specified URL after formatting tags have +# been replaced. Redirect will be done with 302 or 307 according to +# HTTP/1.1 specs. A different 3xx code may be specified by prefixing +# the URL. e.g. 303:http://example.com/ +# +# URL FORMAT TAGS: +# %a - username (if available. Password NOT included) +# %B - FTP path URL +# %e - Error number +# %E - Error description +# %h - Squid hostname +# %H - Request domain name +# %i - Client IP Address +# %M - Request Method +# %o - Message result from external ACL helper +# %p - Request Port number +# %P - Request Protocol name +# %R - Request URL path +# %T - Timestamp in RFC 1123 format +# %U - Full canonical URL from client +# (HTTPS URLs terminate with *) +# %u - Full canonical URL from client +# %w - Admin email from squid.conf +# %x - Error name +# %% - Literal percent (%) code +# #Default: # none @@ -4706,18 +6685,18 @@ refresh_pattern . 0 20% 4320 # TAG: nonhierarchical_direct # By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cacheable request type) direct -# to origin servers. +# (not cacheable request type) direct to origin servers. # -# If you set this to off, Squid will prefer to send these +# When this is set to "off", Squid will prefer to send these # requests to parents. # # Note that in most configurations, by turning this off you will only # add latency to these request without any improvement in global hit # ratio. # -# If you are inside an firewall see never_direct instead of -# this directive. +# This option only sets a preference. If the parent is unavailable a +# direct connection to the origin server may still be attempted. To +# completely prevent direct connections use never_direct. #Default: # nonhierarchical_direct on @@ -4736,6 +6715,29 @@ refresh_pattern . 0 20% 4320 #Default: # prefer_direct off +# TAG: cache_miss_revalidate on|off +# RFC 7232 defines a conditional request mechanism to prevent +# response objects being unnecessarily transferred over the network. +# If that mechanism is used by the client and a cache MISS occurs +# it can prevent new cache entries being created. +# +# This option determines whether Squid on cache MISS will pass the +# client revalidation request to the server or tries to fetch new +# content for caching. It can be useful while the cache is mostly +# empty to more quickly have the cache populated by generating +# non-conditional GETs. +# +# When set to 'on' (default), Squid will pass all client If-* headers +# to the server. This permits server responses without a cacheable +# payload to be delivered and on MISS no new cache entry is created. +# +# When set to 'off' and if the request is cacheable, Squid will +# remove the clients If-Modified-Since and If-None-Match headers from +# the request sent to the server. This requests a 200 status response +# from the server to create a new cache entry with. +#Default: +# cache_miss_revalidate on + # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # @@ -4776,7 +6778,7 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Prevent any cache_peer being used for this request. # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... @@ -4805,37 +6807,52 @@ refresh_pattern . 0 20% 4320 # This clause supports both fast and slow acl types. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. #Default: -# none +# Allow DNS results to be used for this request. # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- -# TAG: incoming_icp_average +# TAG: incoming_udp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_icp_average 6 +# incoming_udp_average 6 -# TAG: incoming_http_average +# TAG: incoming_tcp_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# incoming_http_average 4 +# incoming_tcp_average 4 # TAG: incoming_dns_average +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # incoming_dns_average 4 -# TAG: min_icp_poll_cnt +# TAG: min_udp_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: -# min_icp_poll_cnt 8 +# min_udp_poll_cnt 8 # TAG: min_dns_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! #Default: # min_dns_poll_cnt 8 -# TAG: min_http_poll_cnt +# TAG: min_tcp_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! #Default: -# min_http_poll_cnt 8 +# min_tcp_poll_cnt 8 # TAG: accept_filter # FreeBSD: @@ -4880,14 +6897,14 @@ refresh_pattern . 0 20% 4320 # WARNING: This may noticably slow down traffic received via external proxies # or NAT devices and cause them to rebound error messages back to their clients. #Default: -# client_ip_max_connections -1 +# No limit. # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. +# as easy to change your kernel's default. +# Omit from squid.conf to use the default buffer size. #Default: -# tcp_recv_bufsize 0 bytes +# Use operating system TCP defaults. # ICAP OPTIONS # ----------------------------------------------------------------------------- @@ -4913,22 +6930,36 @@ refresh_pattern . 0 20% 4320 # an established, active ICAP connection before giving up and # either terminating the HTTP transaction or bypassing the # failure. -# -# The default is read_timeout. #Default: -# none +# Use read_timeout. -# TAG: icap_service_failure_limit +# TAG: icap_service_failure_limit limit [in memory-depth time-units] # The limit specifies the number of failures that Squid tolerates # when establishing a new TCP connection with an ICAP service. If # the number of failures exceeds the limit, the ICAP service is # not used for new ICAP requests until it is time to refresh its -# OPTIONS. The per-service failure counter is reset to zero each -# time Squid fetches new service OPTIONS. +# OPTIONS. # # A negative value disables the limit. Without the limit, an ICAP # service will not be considered down due to connectivity failures # between ICAP OPTIONS requests. +# +# Squid forgets ICAP service failures older than the specified +# value of memory-depth. The memory fading algorithm +# is approximate because Squid does not remember individual +# errors but groups them instead, splitting the option +# value into ten time slots of equal length. +# +# When memory-depth is 0 and by default this option has no +# effect on service failure expiration. +# +# Squid always forgets failures when updating service settings +# using an ICAP OPTIONS transaction, regardless of this option +# setting. +# +# For example, +# # suspend service usage after 10 failures in 5 seconds: +# icap_service_failure_limit 10 in 5 seconds #Default: # icap_service_failure_limit 10 @@ -4962,10 +6993,26 @@ refresh_pattern . 0 20% 4320 # TAG: icap_preview_size # The default size of preview data to be sent to the ICAP server. -# -1 means no preview. This value might be overwritten on a per server -# basis by OPTIONS requests. +# This value might be overwritten on a per server basis by OPTIONS requests. +#Default: +# No preview sent. + +# TAG: icap_206_enable on|off +# 206 (Partial Content) responses is an ICAP extension that allows the +# ICAP agents to optionally combine adapted and original HTTP message +# content. The decision to combine is postponed until the end of the +# ICAP response. Squid supports Partial Content extension by default. +# +# Activation of the Partial Content extension is negotiated with each +# ICAP service during OPTIONS exchange. Most ICAP servers should handle +# negotation correctly even if they do not support the extension, but +# some might fail. To disable Partial Content support for all ICAP +# services and to avoid any negotiation, set this option to "off". +# +# Example: +# icap_206_enable off #Default: -# icap_preview_size -1 +# icap_206_enable on # TAG: icap_default_options_ttl # The default TTL value for ICAP OPTIONS responses that don't have @@ -4979,25 +7026,27 @@ refresh_pattern . 0 20% 4320 #Default: # icap_persistent_connections on -# TAG: icap_send_client_ip on|off +# TAG: adaptation_send_client_ip on|off # If enabled, Squid shares HTTP client IP information with adaptation # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. # For eCAP, Squid sets the libecap::metaClientIp transaction option. # # See also: adaptation_uses_indirect_client #Default: -# icap_send_client_ip off +# adaptation_send_client_ip off -# TAG: icap_send_client_username on|off +# TAG: adaptation_send_username on|off # This sends authenticated HTTP client username (if available) to -# the ICAP service. The username value is encoded based on the +# the adaptation service. +# +# For ICAP, the username value is encoded based on the # icap_client_username_encode option and is sent using the header # specified by the icap_client_username_header option. #Default: -# icap_send_client_username off +# adaptation_send_username off # TAG: icap_client_username_header -# ICAP request header name to use for send_client_username. +# ICAP request header name to use for adaptation_send_username. #Default: # icap_client_username_header X-Client-Username @@ -5009,17 +7058,19 @@ refresh_pattern . 0 20% 4320 # TAG: icap_service # Defines a single ICAP service using the following format: # -# icap_service service_name vectoring_point [options] service_url +# icap_service id vectoring_point uri [option ...] # -# service_name: ID -# an opaque identifier which must be unique in squid.conf +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # ICAP service should be activated. *_postcache vectoring points # are not yet supported. # -# service_url: icap://servername:port/servicepath +# uri: icap://servername:port/servicepath # ICAP server and service location. # # ICAP does not allow a single service to handle both REQMOD and RESPMOD @@ -5028,6 +7079,8 @@ refresh_pattern . 0 20% 4320 # can even specify multiple identical services as long as their # service_names differ. # +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. # # Service options are separated by white space. ICAP services support # the following name=value options: @@ -5049,11 +7102,12 @@ refresh_pattern . 0 20% 4320 # returning a chain of services to be used next. The services # are specified using the X-Next-Services ICAP response header # value, formatted as a comma-separated list of service names. -# Each named service should be configured in squid.conf and -# should have the same method and vectoring point as the current -# ICAP transaction. Services violating these rules are ignored. -# An empty X-Next-Services value results in an empty plan which -# ends the current adaptation. +# Each named service should be configured in squid.conf. Other +# services are ignored. An empty X-Next-Services value results +# in an empty plan which ends the current adaptation. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. # # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. @@ -5063,12 +7117,32 @@ refresh_pattern . 0 20% 4320 # is to use IPv4-only connections. When set to 'on' this option will # make Squid use IPv6-only connections to contact this ICAP service. # +# on-overload=block|bypass|wait|force +# If the service Max-Connections limit has been reached, do +# one of the following for each new ICAP transaction: +# * block: send an HTTP error response to the client +# * bypass: ignore the "over-connected" ICAP service +# * wait: wait (in a FIFO queue) for an ICAP connection slot +# * force: proceed, ignoring the Max-Connections limit +# +# In SMP mode with N workers, each worker assumes the service +# connection limit is Max-Connections/N, even though not all +# workers may use a given service. +# +# The default value is "bypass" if service is bypassable, +# otherwise it is set to "wait". +# +# +# max-conn=number +# Use the given number as the Max-Connections limit, regardless +# of the Max-Connections value given by the service, if any. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # #Example: -#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 +#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on #Default: # none @@ -5094,38 +7168,65 @@ refresh_pattern . 0 20% 4320 # ----------------------------------------------------------------------------- # TAG: ecap_enable on|off -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Controls whether eCAP support is enabled. #Default: # ecap_enable off # TAG: ecap_service -# Note: This option is only available if Squid is rebuilt with the -# --enable-ecap option -# # Defines a single eCAP service # -# ecap_service servicename vectoring_point bypass service_url +# ecap_service id vectoring_point uri [option ...] # -# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache +# id: ID +# an opaque identifier or name which is used to direct traffic to +# this specific service. Must be unique among all adaptation +# services in squid.conf. +# +# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # This specifies at which point of transaction processing the # eCAP service should be activated. *_postcache vectoring points # are not yet supported. -# bypass = 1|0 -# If set to 1, the eCAP service is treated as optional. If the -# service cannot be reached or malfunctions, Squid will try to -# ignore any errors and process the message as if the service +# +# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional +# Squid uses the eCAP service URI to match this configuration +# line with one of the dynamically loaded services. Each loaded +# eCAP service must have a unique URI. Obtain the right URI from +# the service provider. +# +# To activate a service, use the adaptation_access directive. To group +# services, use adaptation_service_chain and adaptation_service_set. +# +# Service options are separated by white space. eCAP services support +# the following name=value options: +# +# bypass=on|off|1|0 +# If set to 'on' or '1', the eCAP service is treated as optional. +# If the service cannot be reached or malfunctions, Squid will try +# to ignore any errors and process the message as if the service # was not enabled. No all eCAP errors can be bypassed. -# If set to 0, the eCAP service is treated as essential and all -# eCAP errors will result in an error page returned to the +# If set to 'off' or '0', the eCAP service is treated as essential +# and all eCAP errors will result in an error page returned to the # HTTP client. -# service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional +# +# Bypass is off by default: services are treated as essential. +# +# routing=on|off|1|0 +# If set to 'on' or '1', the eCAP service is allowed to +# dynamically change the current message adaptation plan by +# returning a chain of services to be used next. +# +# Dynamic adaptation plan may cross or cover multiple supported +# vectoring points in their natural processing order. +# +# Routing is not allowed by default. +# +# Older ecap_service format without optional named parameters is +# deprecated but supported for backward compatibility. +# # #Example: -#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off +#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on #Default: # none @@ -5247,7 +7348,7 @@ refresh_pattern . 0 20% 4320 #Example: #adaptation_access service_1 allow all #Default: -# none +# Allow, unless rules exist in squid.conf. # TAG: adaptation_service_iteration_limit # Limits the number of iterations allowed when applying adaptation @@ -5275,8 +7376,14 @@ refresh_pattern . 0 20% 4320 # # An ICAP REQMOD or RESPMOD transaction may set an entry in the # shared table by returning an ICAP header field with a name -# specified in adaptation_masterx_shared_names. Squid will store -# and forward that ICAP header field to subsequent ICAP +# specified in adaptation_masterx_shared_names. +# +# An eCAP REQMOD or RESPMOD transaction may set an entry in the +# shared table by implementing the libecap::visitEachOption() API +# to provide an option with a name specified in +# adaptation_masterx_shared_names. +# +# Squid will store and forward the set entry to subsequent adaptation # transactions within the same master transaction scope. # # Only one shared entry name is supported at this time. @@ -5287,6 +7394,43 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: adaptation_meta +# This option allows Squid administrator to add custom ICAP request +# headers or eCAP options to Squid ICAP requests or eCAP transactions. +# Use it to pass custom authentication tokens and other +# transaction-state related meta information to an ICAP/eCAP service. +# +# The addition of a meta header is ACL-driven: +# adaptation_meta name value [!]aclname ... +# +# Processing for a given header name stops after the first ACL list match. +# Thus, it is impossible to add two headers with the same name. If no ACL +# lists match for a given header name, no such header is added. For +# example: +# +# # do not debug transactions except for those that need debugging +# adaptation_meta X-Debug 1 needs_debugging +# +# # log all transactions except for those that must remain secret +# adaptation_meta X-Log 1 !keep_secret +# +# # mark transactions from users in the "G 1" group +# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 +# +# The "value" parameter may be a regular squid.conf token or a "double +# quoted string". Within the quoted string, use backslash (\) to escape +# any character, which is currently only useful for escaping backslashes +# and double quotes. For example, +# "this string has one backslash (\\) and two \"quotes\"" +# +# Used adaptation_meta header values may be logged via %note +# logformat code. If multiple adaptation_meta headers with the same name +# are used during master transaction lifetime, the header values are +# logged in the order they were used and duplicate values are ignored +# (only the first repeated value will be logged). +#Default: +# none + # TAG: icap_retry # This ACL determines which retriable ICAP transactions are # retried. Transactions that received a complete ICAP response @@ -5303,8 +7447,7 @@ refresh_pattern . 0 20% 4320 # icap_retry deny all # TAG: icap_retry_limit -# Limits the number of retries allowed. When set to zero (default), -# no retries are allowed. +# Limits the number of retries allowed. # # Communication errors due to persistent connection race # conditions are unavoidable, automatically retried, and do not @@ -5312,7 +7455,7 @@ refresh_pattern . 0 20% 4320 # # See also: icap_retry #Default: -# icap_retry_limit 0 +# No retries are allowed. # DNS OPTIONS # ----------------------------------------------------------------------------- @@ -5332,31 +7475,9 @@ refresh_pattern . 0 20% 4320 #Default: # allow_underscore on -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -#Default: -# dns_children 5 - # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. -# #Default: # dns_retransmit_interval 5 seconds @@ -5365,7 +7486,31 @@ refresh_pattern . 0 20% 4320 # within this time all DNS servers for the queried domain # are assumed to be unavailable. #Default: -# dns_timeout 2 minutes +# dns_timeout 30 seconds + +# TAG: dns_packet_max +# Maximum number of bytes packet size to advertise via EDNS. +# Set to "none" to disable EDNS large packet support. +# +# For legacy reasons DNS UDP replies will default to 512 bytes which +# is too small for many responses. EDNS provides a means for Squid to +# negotiate receiving larger responses back immediately without having +# to failover with repeat requests. Responses larger than this limit +# will retain the old behaviour of failover to TCP DNS. +# +# Squid has no real fixed limit internally, but allowing packet sizes +# over 1500 bytes requires network jumbogram support and is usually not +# necessary. +# +# WARNING: The RFC also indicates that some older resolvers will reply +# with failure of the whole request if the extension is added. Some +# resolvers have already been identified which will reply with mangled +# EDNS response on occasion. Usually in response to many-KB jumbogram +# sizes being advertised by Squid. +# Squid will currently treat these both as an unable-to-resolve domain +# even if it would be resolvable without EDNS. +#Default: +# EDNS disabled # TAG: dns_defnames on|off # Normally the RES_DEFNAMES resolver option is disabled @@ -5373,12 +7518,21 @@ refresh_pattern . 0 20% 4320 # from interpreting single-component hostnames locally. To allow # Squid to handle single-component names, enable this option. #Default: -# dns_defnames off +# Search for single-label domain names is disabled. + +# TAG: dns_multicast_local on|off +# When set to on, Squid sends multicast DNS lookups on the local +# network for domains ending in .local and .arpa. +# This enables local servers and devices to be contacted in an +# ad-hoc or zero-configuration network environment. +#Default: +# Search for .local and .arpa names is disabled. # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. +# # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP @@ -5386,7 +7540,7 @@ refresh_pattern . 0 20% 4320 # # Example: dns_nameservers 10.0.0.1 192.172.0.4 #Default: -# none +# Use operating system definitions # TAG: hosts_file # Location of the host-local IP name-address associations @@ -5425,7 +7579,7 @@ refresh_pattern . 0 20% 4320 #Example: # append_domain .yourdomain.com #Default: -# none +# Use operating system definitions # TAG: ignore_unknown_nameservers # By default Squid checks that DNS responses are received @@ -5436,23 +7590,6 @@ refresh_pattern . 0 20% 4320 #Default: # ignore_unknown_nameservers on -# TAG: dns_v4_fallback -# Standard practice with DNS is to lookup either A or AAAA records -# and use the results if it succeeds. Only looking up the other if -# the first attempt fails or otherwise produces no results. -# -# That policy however will cause squid to produce error pages for some -# servers that advertise AAAA but are unreachable over IPv6. -# -# If this is ON squid will always lookup both AAAA and A, using both. -# If this is OFF squid will lookup AAAA and only try A if none found. -# -# WARNING: There are some possibly unwanted side-effects with this on: -# *) Doubles the load placed by squid on the DNS network. -# *) May negatively impact connection delay times. -#Default: -# dns_v4_fallback on - # TAG: dns_v4_first # With the IPv6 Internet being as fast or faster than IPv4 Internet # for most networks Squid prefers to contact websites over IPv6. @@ -5464,11 +7601,12 @@ refresh_pattern . 0 20% 4320 # WARNING: # This option will restrict the situations under which IPv6 # connectivity is used (and tested), potentially hiding network -# problem swhich would otherwise be detected and warned about. +# problems which would otherwise be detected and warned about. #Default: # dns_v4_first off # TAG: ipcache_size (number of entries) +# Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 @@ -5489,6 +7627,15 @@ refresh_pattern . 0 20% 4320 # MISCELLANEOUS # ----------------------------------------------------------------------------- +# TAG: configuration_includes_quoted_values on|off +# If set, Squid will recognize each "quoted string" after a configuration +# directive as a single parameter. The quotes are stripped before the +# parameter value is interpreted or used. +# See "Values with spaces, quotes, and other special characters" +# section for more details. +#Default: +# configuration_includes_quoted_values off + # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your @@ -5539,7 +7686,7 @@ refresh_pattern . 0 20% 4320 # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing -# X-Forwarded-For entries, and place itself as the sole entry. +# X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on @@ -5602,7 +7749,7 @@ refresh_pattern . 0 20% 4320 # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all #Default: -# none +# No password. Actions which require password are denied. # TAG: client_db on|off # If you want to disable collecting per-client statistics, @@ -5633,19 +7780,22 @@ refresh_pattern . 0 20% 4320 #Default: # reload_into_ims off -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). +# TAG: connect_retries +# This sets the maximum number of connection attempts made for each +# TCP connection. The connect_retries attempts must all still +# complete within the connection timeout period. +# +# The default is not to re-try if the first connection attempt fails. +# The (not recommended) maximum is 10 tries. # -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. +# A warning message will be generated if it is set to a too-high +# value and the configured value will be over-ridden. # -# Note: This is in addition to the request re-forwarding which -# takes place if Squid fails to get a satisfying response. +# Note: These re-tries are in addition to forward_max_tries +# which limit how many different addresses may be tried to find +# a useful server. #Default: -# maximum_single_addr_tries 1 +# Do not retry failed connections. # TAG: retry_on_error # If set to ON Squid will automatically retry requests when @@ -5678,20 +7828,32 @@ refresh_pattern . 0 20% 4320 # URI. Options: # # strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. +# This is the behavior recommended by RFC2396 and RFC3986 +# for tolerant handling of generic URI. +# NOTE: This is one difference between generic URI and HTTP URLs. +# # deny: The request is denied. The user receives an "Invalid # Request" message. +# This is the behaviour recommended by RFC2616 for safe +# handling of HTTP request URL. +# # allow: The request is allowed and the URI is not changed. The # whitespace characters remain in the URI. Note the # whitespace is passed to redirector processes if they # are in use. +# Note this may be considered a violation of RFC2616 +# request parsing where whitespace is prohibited in the +# URL field. +# # encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. +# encoded according to RFC1738. +# # chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. +# first whitespace. +# +# +# NOTE the current Squid implementation of encode and chop violates +# RFC2616 by not using a 301 redirect after altering the URL. #Default: # uri_whitespace strip @@ -5718,23 +7880,28 @@ refresh_pattern . 0 20% 4320 # balance_on_multiple_ip off # TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallel from a pipeline. -# -# Defaults to off for bandwidth management and access logging +# HTTP clients may send a pipeline of 1+N requests to Squid using a +# single connection, without waiting for Squid to respond to the first +# of those requests. This option limits the number of concurrent +# requests Squid will try to handle in parallel. If set to N, Squid +# will try to receive and process up to 1+N requests on the same +# connection concurrently. +# +# Defaults to 0 (off) for bandwidth management and access logging # reasons. # +# NOTE: pipelining requires persistent connections to clients. +# # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: -# pipeline_prefetch off +# Do not pre-parse pipelined requests. # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. #Default: -# high_response_time_warning 0 +# disabled. # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this @@ -5742,14 +7909,17 @@ refresh_pattern . 0 20% 4320 # the administrators attention. The value is in page faults # per second. #Default: -# high_page_fault_warning 0 +# disabled. # TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# this amount, Squid prints a WARNING with debug level 0 to get +# Note: This option is only available if Squid is rebuilt with the +# GNU Malloc with mstats() +# +# If the memory usage (as determined by gnumalloc, if available and used) +# exceeds this amount, Squid prints a WARNING with debug level 0 to get # the administrators attention. #Default: -# high_memory_warning 0 KB +# disabled. # TAG: sleep_after_fork (microseconds) # When this is set to a non-zero value, the main Squid process @@ -5766,6 +7936,9 @@ refresh_pattern . 0 20% 4320 # sleep_after_fork 0 # TAG: windows_ipaddrchangemonitor on|off +# Note: This option is only available if Squid is rebuilt with the +# MS Windows +# # On Windows Squid by default will monitor IP address changes and will # reconfigure itself after any detected event. This is very useful for # proxies connected to internet with dial-up interfaces. @@ -5775,13 +7948,19 @@ refresh_pattern . 0 20% 4320 #Default: # windows_ipaddrchangemonitor on +# TAG: eui_lookup +# Whether to lookup the EUI or MAC address of a connected client. +#Default: +# eui_lookup on + # TAG: max_filedescriptors -# The maximum number of filedescriptors supported. +# Reduce the maximum number of filedescriptors supported below +# the usual operating system defaults. # -# The default "0" means Squid inherits the current ulimit setting. +# Remove from squid.conf to inherit the current ulimit setting. # # Note: Changing this requires a restart of Squid. Also -# not all comm loops supports large values. +# not all I/O types supports large values (eg on Windows). #Default: -# max_filedescriptors 0 +# Use operating system limits set by ulimit. -- cgit v1.2.3-54-g00ecf