# TAG: cache_dir
# Format:
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only „ufs”
# is built by default. To enable any of the other storage systems
# see the –enable-storeio configure option.
#
# ‘Directory’ is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
#
# In SMP configurations, cache_dir must not precede the workers option
# and should use configuration macros or conditionals to give each
# worker interested in disk caching a dedicated cache directory.
#
#
# ==== The ufs store type ====
#
# „ufs” is the old well-known Squid storage format that has always
# been there.
#
# Usage:
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# ‘Mbytes’ is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration. Do NOT put the size of your disk drive here.
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
# ‘L1’ is the number of first-level subdirectories which
# will be created under the ‘Directory’. The default is 16.
#
# ‘L2’ is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
#
# ==== The aufs store type ====
#
# „aufs” uses the same storage format as „ufs”, utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
# Usage:
# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
#
# ==== The diskd store type ====
#
# „diskd” uses the same storage format as „ufs”, utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
# Usage:
# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
# Q1 specifies the number of unacknowledged I/O requests when Squid
# stops opening new files. If this many messages are in the queues,
# Squid won’t open new files. Default is 64
#
# Q2 specifies the number of unacknowledged messages when Squid
# starts blocking. If this many messages are in the queues,
# Squid blocks until it receives some replies. Default is 72
#
# When Q1 < Q2 (the default), the cache directory is optimized
# for lower response time at the expense of a decrease in hit
# ratio. If Q1 > Q2, the cache directory is optimized for
# higher hit ratio at the expense of an increase in response
# time.
#
#
# ==== The rock store type ====
#
# Usage:
# cache_dir rock Directory-Name Mbytes [options]
#
# The Rock Store type is a database-style storage. All cached
# entries are stored in a „database” file, using fixed-size slots.
# A single entry occupies one or more slots.
#
# If possible, Squid using Rock Store creates a dedicated kid
# process called „disker” to avoid blocking Squid worker(s) on disk
# I/O. One disker kid is created for each rock cache_dir. Diskers
# are created only when Squid, running in daemon mode, has support
# for the IpcIo disk I/O module.
#
# swap-timeout=msec: Squid will not start writing a miss to or
# reading a hit from disk if it estimates that the swap operation
# will take more than the specified number of milliseconds. By
# default and when set to zero, disables the disk I/O time limit
# enforcement. Ignored when using blocking I/O module because
# blocking synchronous I/O does not allow Squid to estimate the
# expected swap wait time.
#
# max-swap-rate=swaps/sec: Artificially limits disk access using
# the specified I/O rate limit. Swap out requests that
# would cause the average I/O rate to exceed the limit are
# delayed. Individual swap in requests (i.e., hits or reads) are
# not delayed, but they do contribute to measured swap rate and
# since they are placed in the same FIFO queue as swap out
# requests, they may wait longer if max-swap-rate is smaller.
# This is necessary on file systems that buffer „too
# many” writes and then start blocking Squid and other processes
# while committing those writes to disk. Usually used together
# with swap-timeout to avoid excessive delays and queue overflows
# when disk demand exceeds available disk „bandwidth”. By default
# and when set to zero, disables the disk I/O rate limit
# enforcement. Currently supported by IpcIo module only.
#
# slot-size=bytes: The size of a database „record” used for
# storing cached responses. A cached response occupies at least
# one slot and all database I/O is done using individual slots so
# increasing this parameter leads to more disk space waste while
# decreasing it leads to more disk I/O overheads. Should be a
# multiple of your operating system I/O page size. Defaults to
# 16KBytes. A housekeeping header is stored with each slot and
# smaller slot-sizes will be rejected. The header is smaller than
# 100 bytes.
#
#
# ==== COMMON OPTIONS ====
#
# no-store no new objects should be stored to this cache_dir.
#
# min-size=n the minimum object size in bytes this cache_dir
# will accept. It’s used to restrict a cache_dir
# to only store large objects (e.g. AUFS) while
# other stores are optimized for smaller objects
# (e.g. Rock).
# Defaults to 0.
#
# max-size=n the maximum object size in bytes this cache_dir
# supports.
# The value in maximum_object_size directive sets
# the default unless more specific details are
# available (ie a small store capacity).
#
# Note: To make optimal use of the max-size limits you should order
# the cache_dir lines with the smallest max-size value first.
#
#Default:
# No disk cache. Store cache ojects only in memory.
#
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# TAG: store_dir_select_algorithm
# How Squid selects which cache_dir to use when the response
# object will fit into more than one.
#
# Regardless of which algorithm is used the cache_dir min-size
# and max-size parameters are obeyed. As such they can affect
# the selection algorithm by limiting the set of considered
# cache_dir.
#
# Algorithms:
#
# least-load
#
# This algorithm is suited to caches with similar cache_dir
# sizes and disk speeds.
#
# The disk with the least I/O pending is selected.
# When there are multiple disks with the same I/O load ranking
# the cache_dir with most available capacity is selected.
#
# When a mix of cache_dir sizes are configured the faster disks
# have a naturally lower I/O loading and larger disks have more
# capacity. So space used to store objects and data throughput
# may be very unbalanced towards larger disks.
#
#
# round-robin
#
# This algorithm is suited to caches with unequal cache_dir
# disk sizes.
#
# Each cache_dir is selected in a rotation. The next suitable
# cache_dir is used.
#
# Available cache_dir capacity is only considered in relation
# to whether the object will fit and meets the min-size and
# max-size parameters.
#
# Disk I/O loading is only considered to prevent overload on slow
# disks. This algorithm does not spread objects by size, so any
# I/O loading per-disk may appear very unbalanced and volatile.
#
# If several cache_dirs use similar min-size, max-size, or other
# limits to to reject certain responses, then do not group such
# cache_dir lines together, to avoid round-robin selection bias
# towards the first cache_dir after the group. Instead, interleave
# cache_dir lines from different groups. For example:
#
# store_dir_select_algorithm round-robin
# cache_dir rock /hdd1 … min-size=100000
# cache_dir rock /ssd1 … max-size=99999
# cache_dir rock /hdd2 … min-size=100000
# cache_dir rock /ssd2 … max-size=99999
# cache_dir rock /hdd3 … min-size=100000
# cache_dir rock /ssd3 … max-size=99999
cache_dir ufs /var/spool/squid 100 16 256
#Default:
# store_dir_select_algorithm least-load
# TAG: max_open_disk_fds
# To avoid having disk as the I/O bottleneck Squid can optionally
# bypass the on-disk cache if more than this amount of disk file
# descriptors are open.
#
# A value of 0 indicates no limit.
#Default:
# no limit
# TAG: cache_swap_low (percent, 0-100)
# The low-water mark for AUFS/UFS/diskd cache object eviction by
# the cache_replacement_policy algorithm.
#
# Removal begins when the swap (disk) usage of a cache_dir is
# above this low-water mark and attempts to maintain utilization
# near the low-water mark.
#
# As swap utilization increases towards the high-water mark set
# by cache_swap_high object eviction becomes more agressive.
#
# The value difference in percentages between low- and high-water
# marks represent an eviction rate of 300 objects per second and
# the rate continues to scale in agressiveness by multiples of
# this above the high-water mark.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#
# See also cache_swap_high and cache_replacement_policy
#Default:
# cache_swap_low 90
# TAG: cache_swap_high (percent, 0-100)
# The high-water mark for AUFS/UFS/diskd cache object eviction by
# the cache_replacement_policy algorithm.
#
# Removal begins when the swap (disk) usage of a cache_dir is
# above the low-water mark set by cache_swap_low and attempts to
# maintain utilization near the low-water mark.
#
# As swap utilization increases towards this high-water mark object
# eviction becomes more agressive.
#
# The value difference in percentages between low- and high-water
# marks represent an eviction rate of 300 objects per second and
# the rate continues to scale in agressiveness by multiples of
# this above the high-water mark.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#
# See also cache_swap_low and cache_replacement_policy
#Default:
# cache_swap_high 95
# LOGFILE OPTIONS
# —————————————————————————–
# TAG: logformat
# Usage:
#
# logformat <name> <format specification>
#
# Defines an access log format.
#
# The <format specification> is a string with embedded % format codes
#
# % format codes all follow the same basic structure where all
# components but the formatcode are optional and usually unnecessary,
# especially when dealing with common codes.
#
# % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
#
# encoding escapes or otherwise protects „special” characters:
#
# ” Quoted string encoding where quote(„) and
# backslash(\) characters are \-escaped while
# CR, LF, and TAB characters are encoded as \r,
# \n, and \t two-character sequences.
#
# [ Custom Squid encoding where percent(%), square
# brackets([]), backslash(\) and characters with
# codes outside of [32,126] range are %-encoded.
# SP is not encoded. Used by log_mime_hdrs.
#
# # URL encoding (a.k.a. percent-encoding) where
# all URL unsafe and control characters (per RFC
# 1738) are %-encoded.
#
# / Shell-like encoding where quote(„) and
# backslash(\) characters are \-escaped while CR
# and LF characters are encoded as \r and \n
# two-character sequences. Values containing SP
# character(s) are surrounded by quotes(„).
#
# ‘ Raw/as-is encoding with no escaping/quoting.
#
# Default encoding: When no explicit encoding is
# specified, each %code determines its own encoding.
# Most %codes use raw/as-is encoding, but some codes use
# a so called „pass-through URL encoding” where all URL
# unsafe and control characters (per RFC 1738) are
# %-encoded, but the percent character(%) is left as is.
#
# – left aligned
#
# width minimum and/or maximum field width:
# [width_min][.width_max]
# When minimum starts with 0, the field is zero-padded.
# String values exceeding maximum width are truncated.
#
# {arg} argument such as header name etc. This field may be
# placed before or after the token, but not both at once.
#
# Format codes:
#
# % a literal % character
# sn Unique sequence number per log line entry
# err_code The ID of an error response served by Squid or
# a similar internal error identifier.
# err_detail Additional err_code-dependent error information.
# note The annotation specified by the argument. Also
# logs the adaptation meta headers set by the
# adaptation_meta configuration parameter.
# If no argument given all annotations logged.
# The argument may include a separator to use with
# annotation values:
# name[:separator]
# By default, multiple note values are separated with „,”
# and multiple notes are separated with „\r\n”.
# When logging named notes with %{name}note, the
# explicitly configured separator is used between note
# values. When logging all notes with %note, the
# explicitly configured separator is used between
# individual notes. There is currently no way to
# specify both value and notes separators when logging
# all notes with %note.
# master_xaction The master transaction identifier is an unsigned
# integer. These IDs are guaranteed to monotonically
# increase within a single worker process lifetime, with
# higher values corresponding to transactions that were
# accepted or initiated later. Due to current implementation
# deficiencies, some IDs are skipped (i.e. never logged).
# Concurrent workers and restarted workers use similar,
# overlapping sequences of master transaction IDs.
#
# Connection related format codes:
#
# >a Client source IP address
# >A Client FQDN
# >p Client source port
# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
# >la Local IP address the client connected to
# >lp Local port number the client connected to
# >qos Client connection TOS/DSCP value set by Squid
# >nfmark Client connection netfilter packet MARK set by Squid
#
# la Local listening IP address the client connection was connected to.
# lp Local listening port number the client connection was connected to.
#
# <a Server IP address of the last server or peer connection
# <A Server FQDN or peer name
# <p Server port number of the last server or peer connection
# <la Local IP address of the last server or peer connection
# <lp Local port number of the last server or peer connection
# <qos Server connection TOS/DSCP value set by Squid
# <nfmark Server connection netfilter packet MARK set by Squid
#
# >handshake Raw client handshake
# Initial client bytes received by Squid on a newly
# accepted TCP connection or inside a just established
# CONNECT tunnel. Squid stops accumulating handshake
# bytes as soon as the handshake parser succeeds or
# fails (determining whether the client is using the
# expected protocol).
#
# For HTTP clients, the handshake is the request line.
# For TLS clients, the handshake consists of all TLS
# records up to and including the TLS record that
# contains the last byte of the first ClientHello
# message. For clients using an unsupported protocol,
# this field contains the bytes received by Squid at the
# time of the handshake parsing failure.
#
# See the on_unsupported_protocol directive for more
# information on Squid handshake traffic expectations.
#
# Current support is limited to these contexts:
# – http_port connections, but only when the
# on_unsupported_protocol directive is in use.
# – https_port connections (and CONNECT tunnels) that
# are subject to the ssl_bump peek or stare action.
#
# To protect binary handshake data, this field is always
# base64-encoded (RFC 4648 Section 4). If logformat
# field encoding is configured, that encoding is applied
# on top of base64. Otherwise, the computed base64 value
# is recorded as is.
#
# Time related format codes:
#
# ts Seconds since epoch
# tu subsecond time (milliseconds)
# tl Local time. Optional strftime format argument
# default %d/%b/%Y:%H:%M:%S %z
# tg GMT time. Optional strftime format argument
# default %d/%b/%Y:%H:%M:%S %z
# tr Response time (milliseconds)
# dt Total time spent making DNS lookups (milliseconds)
# tS Approximate master transaction start time in
# <full seconds since epoch>.<fractional seconds> format.
# Currently, Squid considers the master transaction
# started when a complete HTTP request header initiating
# the transaction is received from the client. This is
# the same value that Squid uses to calculate transaction
# response time when logging %tr to access.log. Currently,
# Squid uses millisecond resolution for %tS values,
# similar to the default access.log „current time” field
# (%ts.%03tu).
#
# Access Control related format codes:
#
# et Tag returned by external acl
# ea Log string returned by external acl
# un User name (any available)
# ul User name from authentication
# ue User name from external acl helper
# ui User name from ident
# un A user name. Expands to the first available name
# from the following list of information sources:
# – authenticated user name, like %ul
# – user name supplied by an external ACL, like %ue
# – SSL client name, like %us
# – ident user name, like %ui
# credentials Client credentials. The exact meaning depends on
# the authentication scheme: For Basic authentication,
# it is the password; for Digest, the realm sent by the
# client; for NTLM and Negotiate, the client challenge
# or client credentials prefixed with „YR ” or „KK „.
#
# HTTP related format codes:
#
# REQUEST
#
# [http::]rm Request method (GET/POST etc)
# [http::]>rm Request method from client
# [http::]<rm Request method sent to server or peer
#
# [http::]ru Request URL received (or computed) and sanitized
#
# Logs request URI received from the client, a
# request adaptation service, or a request
# redirector (whichever was applied last).
#
# Computed URLs are URIs of internally generated
# requests and various „error:…” URIs.
#
# Honors strip_query_terms and uri_whitespace.
#
# This field is not encoded by default. Encoding
# this field using variants of %-encoding will
# clash with uri_whitespace modifications that
# also use %-encoding.
#
# [http::]>ru Request URL received from the client (or computed)
#
# Computed URLs are URIs of internally generated
# requests and various „error:…” URIs.
#
# Unlike %ru, this request URI is not affected
# by request adaptation, URL rewriting services,
# and strip_query_terms.
#
# Honors uri_whitespace.
#
# This field is using pass-through URL encoding
# by default. Encoding this field using other
# variants of %-encoding will clash with
# uri_whitespace modifications that also use
# %-encoding.
#
# [http::]<ru Request URL sent to server or peer
# [http::]>rs Request URL scheme from client
# [http::]<rs Request URL scheme sent to server or peer
# [http::]>rd Request URL domain from client
# [http::]<rd Request URL domain sent to server or peer
# [http::]>rP Request URL port from client
# [http::]<rP Request URL port sent to server or peer
# [http::]rp Request URL path excluding hostname
# [http::]>rp Request URL path excluding hostname from client
# [http::]<rp Request URL path excluding hostname sent to server or peer
# [http::]rv Request protocol version
# [http::]>rv Request protocol version from client
# [http::]<rv Request protocol version sent to server or peer
#
# [http::]>h Original received request header.
# Usually differs from the request header sent by
# Squid, although most fields are often preserved.
# Accepts optional header field name/value filter
# argument using name[:[separator]element] format.
# [http::]>ha Received request header after adaptation and
# redirection (pre-cache REQMOD vectoring point).
# Usually differs from the request header sent by
# Squid, although most fields are often preserved.
# Optional header name argument as for >h
#
# RESPONSE
#
# [http::]<Hs HTTP status code received from the next hop
# [http::]>Hs HTTP status code sent to the client
#
# [http::]<h Reply header. Optional header name argument
# as for >h
#
# [http::]mt MIME content type
#
#
# SIZE COUNTERS
#
# [http::]st Total size of request + reply traffic with client
# [http::]>st Total size of request received from client.
# Excluding chunked encoding bytes.
# [http::]<st Total size of reply sent to client (after adaptation)
#
# [http::]>sh Size of request headers received from client
# [http::]<sh Size of reply headers sent to client (after adaptation)
#
# [http::]<sH Reply high offset sent
# [http::]<sS Upstream object size
#
# [http::]<bs Number of HTTP-equivalent message body bytes
# received from the next hop, excluding chunked
# transfer encoding and control messages.
# Generated FTP/Gopher listings are treated as
# received bodies.
#
# TIMING
#
# [http::]<pt Peer response time in milliseconds. The timer starts
# when the last request byte is sent to the next hop
# and stops when the last response byte is received.
# [http::]<tt Total time in milliseconds. The timer
# starts with the first connect request (or write I/O)
# sent to the first selected peer. The timer stops
# with the last I/O with the last peer.
#
# Squid handling related format codes:
#
# Ss Squid request status (TCP_MISS etc)
# Sh Squid hierarchy status (DEFAULT_PARENT etc)
#
# SSL-related format codes:
#
# ssl::bump_mode SslBump decision for the transaction:
#
# For CONNECT requests that initiated bumping of
# a connection and for any request received on
# an already bumped connection, Squid logs the
# corresponding SslBump mode („splice”, „bump”,
# „peek”, „stare”, „terminate”, „server-first”
# or „client-first”). See the ssl_bump option
# for more information about these modes.
#
# A „none” token is logged for requests that
# triggered „ssl_bump” ACL evaluation matching
# a „none” rule.
#
# In all other cases, a single dash („-„) is
# logged.
#
# ssl::>sni SSL client SNI sent to Squid.
#
# ssl::>cert_subject
# The Subject field of the received client
# SSL certificate or a dash (‘-‘) if Squid has
# received an invalid/malformed certificate or
# no certificate at all. Consider encoding the
# logged value because Subject often has spaces.
#
# ssl::>cert_issuer
# The Issuer field of the received client
# SSL certificate or a dash (‘-‘) if Squid has
# received an invalid/malformed certificate or
# no certificate at all. Consider encoding the
# logged value because Issuer often has spaces.
#
# ssl::<cert_subject
# The Subject field of the received server
# TLS certificate or a dash (‘-‘) if this is
# not available. Consider encoding the logged
# value because Subject often has spaces.
#
# ssl::<cert_issuer
# The Issuer field of the received server
# TLS certificate or a dash (‘-‘) if this is
# not available. Consider encoding the logged
# value because Issuer often has spaces.
#
# ssl::<cert
# The received server x509 certificate in PEM
# format, including BEGIN and END lines (or a
# dash (‘-‘) if the certificate is unavailable).
#
# WARNING: Large certificates will exceed the
# current 8KB access.log record limit, resulting
# in truncated records. Such truncation usually
# happens in the middle of a record field. The
# limit applies to all access logging modules.
#
# The logged certificate may have failed
# validation and may not be trusted by Squid.
# This field does not include any intermediate
# certificates that may have been received from
# the server or fetched during certificate
# validation process.
#
# Currently, Squid only collects server
# certificates during step3 of SslBump
# processing; connections that were not subject
# to ssl_bump rules or that did not match a peek
# or stare rule at step2 will not have the
# server certificate information.
#
# This field is using pass-through URL encoding
# by default.
#
# ssl::<cert_errors
# The list of certificate validation errors
# detected by Squid (including OpenSSL and
# certificate validation helper components). The
# errors are listed in the discovery order. By
# default, the error codes are separated by ‘:’.
# Accepts an optional separator argument.
#
# %ssl::>negotiated_version The negotiated TLS version of the
# client connection.
#
# %ssl::<negotiated_version The negotiated TLS version of the
# last server or peer connection.
#
# %ssl::>received_hello_version The TLS version of the Hello
# message received from TLS client.
#
# %ssl::<received_hello_version The TLS version of the Hello
# message received from TLS server.
#
# %ssl::>received_supported_version The maximum TLS version
# supported by the TLS client.
#
# %ssl::<received_supported_version The maximum TLS version
# supported by the TLS server.
#
# %ssl::>negotiated_cipher The negotiated cipher of the
# client connection.
#
# %ssl::<negotiated_cipher The negotiated cipher of the
# last server or peer connection.
#
# If ICAP is enabled, the following code becomes available (as
# well as ICAP log codes documented with the icap_log option):
#
# icap::tt Total ICAP „blocking” time for the HTTP transaction. The
# timer ticks while Squid checks adaptation_access and while
# ICAP transaction(s) expect ICAP response headers, including
# the embedded adapted HTTP message headers (where applicable).
# This measurement is meant to estimate ICAP impact on HTTP
# transaction response times, but it does not currently account
# for slow ICAP response body delivery blocking HTTP progress.
#
# Once Squid receives the final ICAP response headers (e.g.,
# ICAP 200 or 204) and the associated adapted HTTP message
# headers (if any) from the ICAP service, the corresponding ICAP
# transaction stops affecting this measurement, even though the
# transaction itself may continue for a long time (e.g., to
# finish sending the ICAP request and/or to finish receiving the
# ICAP response body).
#
# When „blocking” sections of multiple concurrent ICAP
# transactions overlap in time, the overlapping segment is
# counted only once.
#
# To see complete ICAP transaction response times (rather than
# the cumulative effect of their blocking sections) use the
# %adapt::all_trs logformat code or the icap_log directive.
#
# If adaptation is enabled the following codes become available:
#
# adapt::<last_h The header of the last ICAP response or
# meta-information from the last eCAP
# transaction related to the HTTP transaction.
# Like <h, accepts an optional header name
# argument.
#
# adapt::sum_trs Summed adaptation transaction response
# times recorded as a comma-separated list in
# the order of transaction start time. Each time
# value is recorded as an integer number,
# representing response time of one or more
# adaptation (ICAP or eCAP) transaction in
# milliseconds. When a failed transaction is
# being retried or repeated, its time is not
# logged individually but added to the
# replacement (next) transaction. Lifetimes of individually
# listed adaptation transactions may overlap.
# See also: %icap::tt and %adapt::all_trs.
#
# adapt::all_trs All adaptation transaction response times.
# Same as %adapt::sum_trs but response times of
# individual transactions are never added
# together. Instead, all transaction response
# times are recorded individually.
#
# You can prefix adapt::*_trs format codes with adaptation
# service name in curly braces to record response time(s) specific
# to that service. For example: %{my_service}adapt::sum_trs
#
# Format codes related to the PROXY protocol:
#
# proxy_protocol::>h PROXY protocol header, including optional TLVs.
#
# Supports the same field and element reporting/extraction logic
# as %http::>h. For configuration and reporting purposes, Squid
# maps each PROXY TLV to an HTTP header field: the TLV type
# (configured as a decimal integer) is the field name, and the
# TLV value is the field value. All TLVs of „LOCAL” connections
# (in PROXY protocol terminology) are currently skipped/ignored.
#
# Squid also maps the following standard PROXY protocol header
# blocks to pseudo HTTP headers (their names use PROXY
# terminology and start with a colon, following HTTP tradition
# for pseudo headers): :command, :version, :src_addr, :dst_addr,
# :src_port, and :dst_port.
#
# Without optional parameters, this logformat code logs
# pseudo headers and TLVs.
#
# This format code uses pass-through URL encoding by default.
#
# Example:
# # relay custom PROXY TLV #224 to adaptation services
# adaptation_meta Client-Foo „%proxy_protocol::>h{224}”
#
# See also: %http::>h
#
# The default formats available (which do not need re-defining) are:
#
#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
#logformat common %>a %[ui %[un [%tl] „%rm %ru HTTP/%rv” %>Hs %<st %Ss:%Sh
#logformat combined %>a %[ui %[un [%tl] „%rm %ru HTTP/%rv” %>Hs %<st „%{Referer}>h” „%{User-Agent}>h” %Ss:%Sh
#logformat referrer %ts.%03tu %>a %{Referer}>h %ru
#logformat useragent %>a [%tl] „%{User-Agent}>h”
#
# NOTE: When the log_mime_hdrs directive is set to ON.
# The squid, common and combined formats have a safely encoded copy
# of the mime headers appended to each line within a pair of brackets.
#
# NOTE: The common and combined formats are not quite true to the Apache definition.
# The logs from Squid contain an extra status and hierarchy code appended.
#
#Default:
# The format definitions squid, common, combined, referrer, useragent are built in.
# TAG: access_log
# Configures whether and how Squid logs HTTP and ICP transactions.
# If access logging is enabled, a single line is logged for every
# matching HTTP or ICP request. The recommended directive formats are:
#
# access_log <module>:<place> [option …] [acl acl …]
# access_log none [acl acl …]
#
# The following directive format is accepted but may be deprecated:
# access_log <module>:<place> [<logformat name> [acl acl …]]
#
# In most cases, the first ACL name must not contain the ‘=’ character
# and should not be equal to an existing logformat name. You can always
# start with an ‘all’ ACL to work around those restrictions.
#
# Will log to the specified module:place using the specified format (which
# must be defined in a logformat directive) those entries which match
# ALL the acl’s specified (which must be defined in acl clauses).
# If no acl is specified, all requests will be logged to this destination.
#
# ===== Available options for the recommended directive format =====
#
# logformat=name Names log line format (either built-in or
# defined by a logformat directive). Defaults
# to ‘squid’.
#
# buffer-size=64KB Defines approximate buffering limit for log
# records (see buffered_logs). Squid should not
# keep more than the specified size and, hence,
# should flush records before the buffer becomes
# full to avoid overflows under normal
# conditions (the exact flushing algorithm is
# module-dependent though). The on-error option
# controls overflow handling.
#
# on-error=die|drop Defines action on unrecoverable errors. The
# ‘drop’ action ignores (i.e., does not log)
# affected log records. The default ‘die’ action
# kills the affected worker. The drop action
# support has not been tested for modules other
# than tcp.
#
# rotate=N Specifies the number of log file rotations to
# make when you run ‘squid -k rotate’. The default
# is to obey the logfile_rotate directive. Setting
# rotate=0 will disable the file name rotation,
# but the log files are still closed and re-opened.
# This will enable you to rename the logfiles
# yourself just before sending the rotate signal.
# Only supported by the stdio module.
#
# ===== Modules Currently available =====
#
# none Do not log any requests matching these ACL.
# Do not specify Place or logformat name.
#
# stdio Write each log line to disk immediately at the completion of
# each request.
# Place: the filename and path to be written.
#
# daemon Very similar to stdio. But instead of writing to disk the log
# line is passed to a daemon helper for asychronous handling instead.
# Place: varies depending on the daemon.
#
# log_file_daemon Place: the file name and path to be written.
#
# syslog To log each request via syslog facility.
# Place: The syslog facility and priority level for these entries.
# Place Format: facility.priority
#
# where facility could be any of:
# authpriv, daemon, local0 … local7 or user.
#
# And priority could be any of:
# err, warning, notice, info, debug.
#
# udp To send each log line as text data to a UDP receiver.
# Place: The destination host name or IP and port.
# Place Format: //host:port
#
# tcp To send each log line as text data to a TCP receiver.
# Lines may be accumulated before sending (see buffered_logs).
# Place: The destination host name or IP and port.
# Place Format: //host:port
#
# Default:
# access_log daemon:/var/log/squid/access.log squid
#Default:
# access_log daemon:/var/log/squid/access.log squid
# TAG: icap_log
# ICAP log files record ICAP transaction summaries, one line per
# transaction.
#
# The icap_log option format is:
# icap_log <filepath> [<logformat name> [acl acl …]]
# icap_log none [acl acl …]]
#
# Please see access_log option documentation for details. The two
# kinds of logs share the overall configuration approach and many
# features.
#
# ICAP processing of a single HTTP message or transaction may
# require multiple ICAP transactions. In such cases, multiple
# ICAP transaction log lines will correspond to a single access
# log line.
#
# ICAP log supports many access.log logformat %codes. In ICAP context,
# HTTP message-related %codes are applied to the HTTP message embedded
# in an ICAP message. Logformat „%http::>…” codes are used for HTTP
# messages embedded in ICAP requests while „%http::<…” codes are used
# for HTTP messages embedded in ICAP responses. For example:
#
# http::>h To-be-adapted HTTP message headers sent by Squid to
# the ICAP service. For REQMOD transactions, these are
# HTTP request headers. For RESPMOD, these are HTTP
# response headers, but Squid currently cannot log them
# (i.e., %http::>h will expand to „-” for RESPMOD).
#
# http::<h Adapted HTTP message headers sent by the ICAP
# service to Squid (i.e., HTTP request headers in regular
# REQMOD; HTTP response headers in RESPMOD and during
# request satisfaction in REQMOD).
#
# ICAP OPTIONS transactions do not embed HTTP messages.
#
# Several logformat codes below deal with ICAP message bodies. An ICAP
# message body, if any, typically includes a complete HTTP message
# (required HTTP headers plus optional HTTP message body). When
# computing HTTP message body size for these logformat codes, Squid
# either includes or excludes chunked encoding overheads; see
# code-specific documentation for details.
#
# For Secure ICAP services, all size-related information is currently
# computed before/after TLS encryption/decryption, as if TLS was not
# in use at all.
#
# The following format codes are also available for ICAP logs:
#
# icap::<A ICAP server IP address. Similar to <A.
#
# icap::<service_name ICAP service name from the icap_service
# option in Squid configuration file.
#
# icap::ru ICAP Request-URI. Similar to ru.
#
# icap::rm ICAP request method (REQMOD, RESPMOD, or
# OPTIONS). Similar to existing rm.
#
# icap::>st The total size of the ICAP request sent to the ICAP
# server (ICAP headers + ICAP body), including chunking
# metadata (if any).
#
# icap::<st The total size of the ICAP response received from the
# ICAP server (ICAP headers + ICAP body), including
# chunking metadata (if any).
#
# icap::<bs The size of the ICAP response body received from the
# ICAP server, excluding chunking metadata (if any).
#
# icap::tr Transaction response time (in
# milliseconds). The timer starts when
# the ICAP transaction is created and
# stops when the transaction is completed.
# Similar to tr.
#
# icap::tio Transaction I/O time (in milliseconds). The
# timer starts when the first ICAP request
# byte is scheduled for sending. The timers
# stops when the last byte of the ICAP response
# is received.
#
# icap::to Transaction outcome: ICAP_ERR* for all
# transaction errors, ICAP_OPT for OPTION
# transactions, ICAP_ECHO for 204
# responses, ICAP_MOD for message
# modification, and ICAP_SAT for request
# satisfaction. Similar to Ss.
#
# icap::Hs ICAP response status code. Similar to Hs.
#
# icap::>h ICAP request header(s). Similar to >h.
#
# icap::<h ICAP response header(s). Similar to <h.
#
# The default ICAP log format, which can be used without an explicit
# definition, is called icap_squid:
#
#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A –
#
# See also: logformat and %adapt::<last_h
#Default:
# none
# TAG: logfile_daemon
# Specify the path to the logfile-writing daemon. This daemon is
# used to write the access and store logs, if configured.
#
# Squid sends a number of commands to the log daemon:
# L<data>\n – logfile data
# R\n – rotate file
# T\n – truncate file
# O\n – reopen file
# F\n – flush file
# r<n>\n – set rotate count to <n>
# b<n>\n – 1 = buffer output, 0 = don’t buffer output
#
# No responses is expected.
#Default:
# logfile_daemon /usr/lib/squid/log_file_daemon
# TAG: stats_collection allow|deny acl acl…
# This options allows you to control which requests gets accounted
# in performance counters.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# Allow logging for all transactions.
# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
# saved and for how long.
# There are not really utilities to analyze this data, so you can safely
# disable it (the default).
#
# Store log uses modular logging outputs. See access_log for the list
# of modules supported.
#
# Example:
# cache_store_log stdio:/var/log/squid/store.log
# cache_store_log daemon:/var/log/squid/store.log
#Default:
# none
# TAG: cache_swap_state
# Location for the cache „swap.state” file. This index file holds
# the metadata of objects saved on disk. It is used to rebuild
# the cache during startup. Normally this file resides in each
# ‘cache_dir’ directory, but you may specify an alternate
# pathname here. Note you must give a full filename, not just
# a directory. Since this is the index for the whole object
# list you CANNOT periodically rotate it!
#
# If %s can be used in the file name it will be replaced with a
# a representation of the cache_dir name where each / is replaced
# with ‘.’. This is needed to allow adding/removing cache_dir
# lines when cache_swap_log is being used.
#
# If have more than one ‘cache_dir’, and %s is not used in the name
# these swap logs will have names such as:
#
# cache_swap_log.00
# cache_swap_log.01
# cache_swap_log.02
#
# The numbered extension (which is added automatically)
# corresponds to the order of the ‘cache_dir’ lines in this
# configuration file. If you change the order of the ‘cache_dir’
# lines in this file, these index files will NOT correspond to
# the correct ‘cache_dir’ entry (unless you manually rename
# them). We recommend you do NOT use this option. It is
# better to keep these index files in each ‘cache_dir’ directory.
#Default:
# Store the journal inside its cache_dir
# TAG: logfile_rotate
# Specifies the default number of logfile rotations to make when you
# type ‘squid -k rotate’. The default is 10, which will rotate
# with extensions 0 through 9. Setting logfile_rotate to 0 will
# disable the file name rotation, but the logfiles are still closed
# and re-opened. This will enable you to rename the logfiles
# yourself just before sending the rotate signal.
#
# Note, from Squid-3.1 this option is only a default for cache.log,
# that log can be rotated separately by using debug_options.
#
# Note, from Squid-4 this option is only a default for access.log
# recorded by stdio: module. Those logs can be rotated separately by
# using the rotate=N option on their access_log directive.
#
# Note, the ‘squid -k rotate’ command normally sends a USR1
# signal to the running squid process. In certain situations
# (e.g. on Linux with Async I/O), USR1 is used for other
# purposes, so -k rotate uses another signal. It is best to get
# in the habit of using ‘squid -k rotate’ instead of ‘kill -USR1
# <pid>’.
#
# Note, for Debian/Linux the default of logfile_rotate is
# zero, since it includes external logfile-rotation methods.
#Default:
# logfile_rotate 0
# TAG: mime_table
# Path to Squid’s icon configuration file.
#
# You shouldn’t need to change this, but the default file contains
# examples and formatting information if you do.
#Default:
# mime_table /usr/share/squid/mime.conf
# TAG: log_mime_hdrs on|off
# The Cache can record both the request and the response MIME
# headers for each HTTP transaction. The headers are encoded
# safely and will appear as two bracketed fields at the end of
# the access log (for either the native or httpd-emulated log
# formats). To enable this logging set log_mime_hdrs to ‘on’.
#Default:
# log_mime_hdrs off
# TAG: pid_filename
# A filename to write the process-id to. To disable, enter „none”.
#Default:
# pid_filename /run/squid.pid
# TAG: client_netmask
# A netmask for client addresses in logfiles and cachemgr output.
# Change this to protect the privacy of your cache clients.
# A netmask of 255.255.255.0 will log all IP’s in that range with
# the last digit set to ‘0’.
#Default:
# Log full client IP address
# TAG: strip_query_terms
# By default, Squid strips query terms from requested URLs before
# logging. This protects your user’s privacy and reduces log size.
#
# When investigating HIT/MISS or other caching behaviour you
# will need to disable this to see the full URL used by Squid.
#Default:
# strip_query_terms on
# TAG: buffered_logs on|off
# Whether to write/send access_log records ASAP or accumulate them and
# then write/send them in larger chunks. Buffering may improve
# performance because it decreases the number of I/Os. However,
# buffering increases the delay before log records become available to
# the final recipient (e.g., a disk file or logging daemon) and,
# hence, increases the risk of log records loss.
#
# Note that even when buffered_logs are off, Squid may have to buffer
# records if it cannot write/send them immediately due to pending I/Os
# (e.g., the I/O writing the previous log record) or connectivity loss.
#
# Currently honored by ‘daemon’ and ‘tcp’ access_log modules only.
#Default:
# buffered_logs off
# TAG: netdb_filename
# Where Squid stores it’s netdb journal.
# When enabled this journal preserves netdb state between restarts.
#
# To disable, enter „none”.
#Default:
# netdb_filename stdio:/var/spool/squid/netdb.state
# OPTIONS FOR TROUBLESHOOTING
# —————————————————————————–
# TAG: cache_log
# Squid administrative logging file.
#
# This is where general information about Squid behavior goes. You can
# increase the amount of data logged to this file and how often it is
# rotated with „debug_options”
#Default:
# cache_log /var/log/squid/cache.log
# TAG: debug_options
# Logging options are set as section,level where each source file
# is assigned a unique section. Lower levels result in less
# output, Full debugging (level 9) can result in a very large
# log file, so be careful.
#
# The magic word „ALL” sets debugging levels for all sections.
# The default is to run with „ALL,1” to record important warnings.
#
# The rotate=N option can be used to keep more or less of these logs
# than would otherwise be kept by logfile_rotate.
# For most uses a single log should be enough to monitor current
# events affecting Squid.
#Default:
# Log all critical and important messages.
# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
# it was started. If you set ‘coredump_dir’ to a directory
# that exists, Squid will chdir() to that directory at startup
# and coredump files will be left there.
#
#Default:
# Use the directory from where Squid was started.
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# OPTIONS FOR FTP GATEWAYING
# —————————————————————————–
# TAG: ftp_user
# If you want the anonymous login password to be more informative
# (and enable the use of picky FTP servers), set this to something
# reasonable for your domain, like wwwuser@somewhere.net
#
# The reason why this is domainless by default is the
# request can be made on the behalf of a user in any domain,
# depending on how the cache is used.
# Some FTP server also validate the email address is valid
# (for example perl.com).
#Default:
# ftp_user Squid@
# TAG: ftp_passive
# If your firewall does not allow Squid to use passive
# connections, turn off this option.
#
# Use of ftp_epsv_all option requires this to be ON.
#Default:
# ftp_passive on
# TAG: ftp_epsv_all
# FTP Protocol extensions permit the use of a special „EPSV ALL” command.
#
# NATs may be able to put the connection on a „fast path” through the
# translator, as the EPRT command will never be used and therefore,
# translation of the data portion of the segments will never be needed.
#
# When a client only expects to do two-way FTP transfers this may be
# useful.
# If squid finds that it must do a three-way FTP transfer after issuing
# an EPSV ALL command, the FTP session will fail.
#
# If you have any doubts about this option do not use it.
# Squid will nicely attempt all other connection methods.
#
# Requires ftp_passive to be ON (default) for any effect.
#Default:
# ftp_epsv_all off
# TAG: ftp_epsv
# FTP Protocol extensions permit the use of a special „EPSV” command.
#
# NATs may be able to put the connection on a „fast path” through the
# translator using EPSV, as the EPRT command will never be used
# and therefore, translation of the data portion of the segments
# will never be needed.
#
# EPSV is often required to interoperate with FTP servers on IPv6
# networks. On the other hand, it may break some IPv4 servers.
#
# By default, EPSV may try EPSV with any FTP server. To fine tune
# that decision, you may restrict EPSV to certain clients or servers
# using ACLs:
#
# ftp_epsv allow|deny al1 acl2 …
#
# WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
#
# Only fast ACLs are supported.
# Requires ftp_passive to be ON (default) for any effect.
#Default:
# none
# TAG: ftp_eprt
# FTP Protocol extensions permit the use of a special „EPRT” command.
#
# This extension provides a protocol neutral alternative to the
# IPv4-only PORT command. When supported it enables active FTP data
# channels over IPv6 and efficient NAT handling.
#
# Turning this OFF will prevent EPRT being attempted and will skip
# straight to using PORT for IPv4 servers.
#
# Some devices are known to not handle this extension correctly and
# may result in crashes. Devices which suport EPRT enough to fail
# cleanly will result in Squid attempting PORT anyway. This directive
# should only be disabled when EPRT results in device failures.
#
# WARNING: Doing so will convert Squid back to the old behavior with all
# the related problems with external NAT devices/layers and IPv4-only FTP.
#Default:
# ftp_eprt on
# TAG: ftp_sanitycheck
# For security and data integrity reasons Squid by default performs
# sanity checks of the addresses of FTP data connections ensure the
# data connection is to the requested server. If you need to allow
# FTP connections to servers using another IP address for the data
# connection turn this off.
#Default:
# ftp_sanitycheck on
# TAG: ftp_telnet_protocol
# The FTP protocol is officially defined to use the telnet protocol
# as transport channel for the control connection. However, many
# implementations are broken and does not respect this aspect of
# the FTP protocol.
#
# If you have trouble accessing files with ASCII code 255 in the
# path or similar problems involving this ASCII code you can
# try setting this directive to off. If that helps, report to the
# operator of the FTP server in question that their FTP server
# is broken and does not follow the FTP standard.
#Default:
# ftp_telnet_protocol on
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# —————————————————————————–
# TAG: diskd_program
# Specify the location of the diskd executable.
# Note this is only useful if you have compiled in
# diskd as one of the store io modules.
#Default:
# diskd_program /usr/lib/squid/diskd
# TAG: unlinkd_program
# Specify the location of the executable for file deletion process.
#Default:
# unlinkd_program /usr/lib/squid/unlinkd
# TAG: pinger_program
# Specify the location of the executable for the pinger process.
#Default:
# pinger_program /usr/lib/squid/pinger
# TAG: pinger_enable
# Control whether the pinger is active at run-time.
# Enables turning ICMP pinger on and off with a simple
# squid -k reconfigure.
#Default:
# pinger_enable on
# OPTIONS FOR URL REWRITING
# —————————————————————————–
# TAG: url_rewrite_program
# The name and command line parameters of an admin-provided executable
# for redirecting clients or adjusting/replacing client request URLs.
#
# This helper is consulted after the received request is cleared by
# http_access and adapted using eICAP/ICAP services (if any). If the
# helper does not redirect the client, Squid checks adapted_http_access
# and may consult the cache or forward the request to the next hop.
#
#
# For each request, the helper gets one line in the following format:
#
# [channel-ID <SP>] request-URL [<SP> extras] <NL>
#
# Use url_rewrite_extras to configure what Squid sends as ‘extras’.
#
#
# The helper must reply to each query using a single line:
#
# [channel-ID <SP>] result [<SP> kv-pairs] <NL>
#
# The result section must match exactly one of the following outcomes:
#
# OK [status=30N] url=”…”
#
# Redirect the client to a URL supplied in the ‘url’ parameter.
# Optional ‘status’ specifies the status code to send to the
# client in Squid’s HTTP redirect response. It must be one of
# the standard HTTP redirect status codes: 301, 302, 303, 307,
# or 308. When no specific status is requested, Squid uses 302.
#
# OK rewrite-url=”…”
#
# Replace the current request URL with the one supplied in the
# ‘rewrite-url’ parameter. Squid fetches the resource specified
# by the new URL and forwards the received response (or its
# cached copy) to the client.
#
# WARNING: Avoid rewriting URLs! When possible, redirect the
# client using an „OK url=…” helper response instead.
# Rewriting URLs may create inconsistent requests and/or break
# synchronization between internal client and origin server
# states, especially when URLs or other message parts contain
# snippets of that state. For example, Squid does not adjust
# Location headers and embedded URLs after the helper rewrites
# the request URL.
#
# OK
# Keep the client request intact.
#
# ERR
# Keep the client request intact.
#
# BH [message=”…”]
# A helper problem that should be reported to the Squid admin
# via a level-1 cache.log message. The ‘message’ parameter is
# reserved for specifying the log message.
#
# In addition to the kv-pairs mentioned above, Squid also understands
# the following optional kv-pairs in URL rewriter responses:
#
# clt_conn_tag=TAG
# Associates a TAG with the client TCP connection.
#
# The clt_conn_tag=TAG pair is treated as a regular transaction
# annotation for the current request and also annotates future
# requests on the same client connection. A helper may update
# the TAG during subsequent requests by returning a new kv-pair.
#
#
# Helper messages contain the channel-ID part if and only if the
# url_rewrite_children directive specifies positive concurrency. As a
# channel-ID value, Squid sends a number between 0 and concurrency-1.
# The helper must echo back the received channel-ID in its response.
#
# By default, Squid does not use a URL rewriter.
#Default:
# none
# TAG: url_rewrite_children
# Specifies the maximum number of redirector processes that Squid may
# spawn (numberofchildren) and several related options. Using too few of
# these helper processes (a.k.a. „helpers”) creates request queues.
# Using too many helpers wastes your system resources.
#
# Usage: numberofchildren [option]…
#
# The startup= and idle= options allow some measure of skew in your
# tuning.
#
# startup=
#
# Sets a minimum of how many processes are to be spawned when Squid
# starts or reconfigures. When set to zero the first request will
# cause spawning of the first child process to handle it.
#
# Starting too few will cause an initial slowdown in traffic as Squid
# attempts to simultaneously spawn enough processes to cope.
#
# idle=
#
# Sets a minimum of how many processes Squid is to try and keep available
# at all times. When traffic begins to rise above what the existing
# processes can handle this many more will be spawned up to the maximum
# configured. A minimum setting of 1 is required.
#
# concurrency=
#
# The number of requests each redirector helper can handle in
# parallel. Defaults to 0 which indicates the redirector
# is a old-style single threaded redirector.
#
# When this directive is set to a value >= 1 then the protocol
# used to communicate with the helper is modified to include
# an ID in front of the request/response. The ID from the request
# must be echoed back with the response to that request.
#
# queue-size=N
#
# Sets the maximum number of queued requests. A request is queued when
# no existing child can accept it due to concurrency limit and no new
# child can be started due to numberofchildren limit. The default
# maximum is zero if url_rewrite_bypass is enabled and
# 2*numberofchildren otherwise. If the queued requests exceed queue size
# and redirector_bypass configuration option is set, then redirector is
# bypassed. Otherwise, Squid is allowed to temporarily exceed the
# configured maximum, marking the affected helper as „overloaded”. If
# the helper overload lasts more than 3 minutes, the action prescribed
# by the on-persistent-overload option applies.
#
# on-persistent-overload=action
#
# Specifies Squid reaction to a new helper request arriving when the helper
# has been overloaded for more that 3 minutes already. The number of queued
# requests determines whether the helper is overloaded (see the queue-size
# option).
#
# Two actions are supported:
#
# die Squid worker quits. This is the default behavior.
#
# ERR Squid treats the helper request as if it was
# immediately submitted, and the helper immediately
# replied with an ERR response. This action has no effect
# on the already queued and in-progress helper requests.
#Default:
# url_rewrite_children 20 startup=0 idle=1 concurrency=0
# TAG: url_rewrite_host_header
# To preserve same-origin security policies in browsers and
# prevent Host: header forgery by redirectors Squid rewrites
# any Host: header in redirected requests.
#
# If you are running an accelerator this may not be a wanted
# effect of a redirector. This directive enables you disable
# Host: alteration in reverse-proxy traffic.
#
# WARNING: Entries are cached on the result of the URL rewriting
# process, so be careful if you have domain-virtual hosts.
#
# WARNING: Squid and other software verifies the URL and Host
# are matching, so be careful not to relay through other proxies
# or inspecting firewalls with this disabled.
#Default:
# url_rewrite_host_header on
# TAG: url_rewrite_access
# If defined, this access list specifies which requests are
# sent to the redirector processes.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# Allow, unless rules exist in squid.conf.
# TAG: url_rewrite_bypass
# When this is ‘on’, a request will not go through the
# redirector if all the helpers are busy. If this is ‘off’ and the
# redirector queue grows too large, the action is prescribed by the
# on-persistent-overload option. You should only enable this if the
# redirectors are not critical to your caching system. If you use
# redirectors for access control, and you enable this option,
# users may have access to pages they should not
# be allowed to request.
#
# Enabling this option sets the default url_rewrite_children queue-size
# option value to 0.
#Default:
# url_rewrite_bypass off
# TAG: url_rewrite_extras
# Specifies a string to be append to request line format for the
# rewriter helper. „Quoted” format values may contain spaces and
# logformat %macros. In theory, any logformat %macro can be used.
# In practice, a %macro expands as a dash (-) if the helper request is
# sent before the required macro information is available to Squid.
#Default:
# url_rewrite_extras „%>a/%>A %un %>rm myip=%la myport=%lp”
# TAG: url_rewrite_timeout
# Squid times active requests to redirector. The timeout value and Squid
# reaction to a timed out request are configurable using the following
# format:
#
# url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
#
# supported timeout actions:
# fail Squid return a ERR_GATEWAY_FAILURE error page
#
# bypass Do not re-write the URL
#
# retry Send the lookup to the helper again
#
# use_configured_response
# Use the <quoted-response> as helper response
#Default:
# Squid waits for the helper response forever
# OPTIONS FOR STORE ID
# —————————————————————————–
# TAG: store_id_program
# Specify the location of the executable StoreID helper to use.
# Since they can perform almost any function there isn’t one included.
#
# For each requested URL, the helper will receive one line with the format
#
# [channel-ID <SP>] URL [<SP> extras]<NL>
#
#
# After processing the request the helper must reply using the following format:
#
# [channel-ID <SP>] result [<SP> kv-pairs]
#
# The result code can be:
#
# OK store-id=”…”
# Use the StoreID supplied in ‘store-id=’.
#
# ERR
# The default is to use HTTP request URL as the store ID.
#
# BH
# An internal error occurred in the helper, preventing
# a result being identified.
#
# In addition to the above kv-pairs Squid also understands the following
# optional kv-pairs received from URL rewriters:
# clt_conn_tag=TAG
# Associates a TAG with the client TCP connection.
# Please see url_rewrite_program related documentation for this
# kv-pair
#
# Helper programs should be prepared to receive and possibly ignore
# additional whitespace-separated tokens on each input line.
#
# When using the concurrency= option the protocol is changed by
# introducing a query channel tag in front of the request/response.
# The query channel tag is a number between 0 and concurrency-1.
# This value must be echoed back unchanged to Squid as the first part
# of the response relating to its request.
#
# NOTE: when using StoreID refresh_pattern will apply to the StoreID
# returned from the helper and not the URL.
#
# WARNING: Wrong StoreID value returned by a careless helper may result
# in the wrong cached response returned to the user.
#
# By default, a StoreID helper is not used.
#Default:
# none
# TAG: store_id_extras
# Specifies a string to be append to request line format for the
# StoreId helper. „Quoted” format values may contain spaces and
# logformat %macros. In theory, any logformat %macro can be used.
# In practice, a %macro expands as a dash (-) if the helper request is
# sent before the required macro information is available to Squid.
#Default:
# store_id_extras „%>a/%>A %un %>rm myip=%la myport=%lp”
# TAG: store_id_children
# Specifies the maximum number of StoreID helper processes that Squid
# may spawn (numberofchildren) and several related options. Using
# too few of these helper processes (a.k.a. „helpers”) creates request
# queues. Using too many helpers wastes your system resources.
#
# Usage: numberofchildren [option]…
#
# The startup= and idle= options allow some measure of skew in your
# tuning.
#
# startup=
#
# Sets a minimum of how many processes are to be spawned when Squid
# starts or reconfigures. When set to zero the first request will
# cause spawning of the first child process to handle it.
#
# Starting too few will cause an initial slowdown in traffic as Squid
# attempts to simultaneously spawn enough processes to cope.
#
# idle=
#
# Sets a minimum of how many processes Squid is to try and keep available
# at all times. When traffic begins to rise above what the existing
# processes can handle this many more will be spawned up to the maximum
# configured. A minimum setting of 1 is required.
#
# concurrency=
#
# The number of requests each storeID helper can handle in
# parallel. Defaults to 0 which indicates the helper
# is a old-style single threaded program.
#
# When this directive is set to a value >= 1 then the protocol
# used to communicate with the helper is modified to include
# an ID in front of the request/response. The ID from the request
# must be echoed back with the response to that request.
#
# queue-size=N
#
# Sets the maximum number of queued requests to N. A request is queued
# when no existing child can accept it due to concurrency limit and no
# new child can be started due to numberofchildren limit. The default
# maximum is 2*numberofchildren. If the queued requests exceed queue
# size and redirector_bypass configuration option is set, then
# redirector is bypassed. Otherwise, Squid is allowed to temporarily
# exceed the configured maximum, marking the affected helper as
# „overloaded”. If the helper overload lasts more than 3 minutes, the
# action prescribed by the on-persistent-overload option applies.
#
# on-persistent-overload=action
#
# Specifies Squid reaction to a new helper request arriving when the helper
# has been overloaded for more that 3 minutes already. The number of queued
# requests determines whether the helper is overloaded (see the queue-size
# option).
#
# Two actions are supported:
#
# die Squid worker quits. This is the default behavior.
#
# ERR Squid treats the helper request as if it was
# immediately submitted, and the helper immediately
# replied with an ERR response. This action has no effect
# on the already queued and in-progress helper requests.
#Default:
# store_id_children 20 startup=0 idle=1 concurrency=0
# TAG: store_id_access
# If defined, this access list specifies which requests are
# sent to the StoreID processes. By default all requests
# are sent.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# Allow, unless rules exist in squid.conf.
# TAG: store_id_bypass
# When this is ‘on’, a request will not go through the
# helper if all helpers are busy. If this is ‘off’ and the helper
# queue grows too large, the action is prescribed by the
# on-persistent-overload option. You should only enable this if the
# helpers are not critical to your caching system. If you use
# helpers for critical caching components, and you enable this
# option, users may not get objects from cache.
# This options sets default queue-size option of the store_id_children
# to 0.
#Default:
# store_id_bypass on
# OPTIONS FOR TUNING THE CACHE
# —————————————————————————–
# TAG: cache
# Requests denied by this directive will not be served from the cache
# and their responses will not be stored in the cache. This directive
# has no effect on other transactions and on already cached responses.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
# This and the two other similar caching directives listed below are
# checked at different transaction processing stages, have different
# access to response information, affect different cache operations,
# and differ in slow ACLs support:
#
# * cache: Checked before Squid makes a hit/miss determination.
# No access to reply information!
# Denies both serving a hit and storing a miss.
# Supports both fast and slow ACLs.
# * send_hit: Checked after a hit was detected.
# Has access to reply (hit) information.
# Denies serving a hit only.
# Supports fast ACLs only.
# * store_miss: Checked before storing a cachable miss.
# Has access to reply (miss) information.
# Denies storing a miss only.
# Supports fast ACLs only.
#
# If you are not sure which of the three directives to use, apply the
# following decision logic:
#
# * If your ACL(s) are of slow type _and_ need response info, redesign.
# Squid does not support that particular combination at this time.
# Otherwise:
# * If your directive ACL(s) are of slow type, use „cache”; and/or
# * if your directive ACL(s) need no response info, use „cache”.
# Otherwise:
# * If you do not want the response cached, use store_miss; and/or
# * if you do not want a hit on a cached response, use send_hit.
#Default:
# By default, this directive is unused and has no effect.
# TAG: send_hit
# Responses denied by this directive will not be served from the cache
# (but may still be cached, see store_miss). This directive has no
# effect on the responses it allows and on the cached objects.
#
# Please see the „cache” directive for a summary of differences among
# store_miss, send_hit, and cache directives.
#
# Unlike the „cache” directive, send_hit only supports fast acl
# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
# For example:
#
# # apply custom Store ID mapping to some URLs
# acl MapMe dstdomain .c.example.com
# store_id_program …
# store_id_access allow MapMe
#
# # but prevent caching of special responses
# # such as 302 redirects that cause StoreID loops
# acl Ordinary http_status 200-299
# store_miss deny MapMe !Ordinary
#
# # and do not serve any previously stored special responses
# # from the cache (in case they were already cached before
# # the above store_miss rule was in effect).
# send_hit deny MapMe !Ordinary
#Default:
# By default, this directive is unused and has no effect.
# TAG: store_miss
# Responses denied by this directive will not be cached (but may still
# be served from the cache, see send_hit). This directive has no
# effect on the responses it allows and on the already cached responses.
#
# Please see the „cache” directive for a summary of differences among
# store_miss, send_hit, and cache directives. See the
# send_hit directive for a usage example.
#
# Unlike the „cache” directive, store_miss only supports fast acl
# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# By default, this directive is unused and has no effect.
# TAG: max_stale time-units
# This option puts an upper limit on how stale content Squid
# will serve from the cache if cache validation fails.
# Can be overriden by the refresh_pattern max-stale option.
#Default:
# max_stale 1 week
# TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# ‘Min’ is the time (in minutes) an object without an explicit
# expiry time should be considered fresh. The recommended
# value is 0, any higher values may cause dynamic applications
# to be erroneously cached unless the application designer
# has taken the appropriate actions.
#
# ‘Percent’ is a percentage of the objects age (time since last
# modification age) an object without explicit expiry time
# will be considered fresh.
#
# ‘Max’ is an upper limit on how long objects without an explicit
# expiry time will be considered fresh. The value is also used
# to form Cache-Control: max-age header for a request sent from
# Squid to origin/parent.
#
# options: override-expire
# override-lastmod
# reload-into-ims
# ignore-reload
# ignore-no-store
# ignore-private
# max-stale=NN
# refresh-ims
# store-stale
#
# override-expire enforces min age even if the server
# sent an explicit expiry time (e.g., with the
# Expires: header or Cache-Control: max-age). Doing this
# VIOLATES the HTTP standard. Enabling this feature
# could make you liable for problems which it causes.
#
# Note: override-expire does not enforce staleness – it only extends
# freshness / min. If the server returns a Expires time which
# is longer than your max time, Squid will still consider
# the object fresh for that period of time.
#
# override-lastmod enforces min age even on objects
# that were modified recently.
#
# reload-into-ims changes a client no-cache or „reload”
# request for a cached entry into a conditional request using
# If-Modified-Since and/or If-None-Match headers, provided the
# cached entry has a Last-Modified and/or a strong ETag header.
# Doing this VIOLATES the HTTP standard. Enabling this feature
# could make you liable for problems which it causes.
#
# ignore-reload ignores a client no-cache or „reload”
# header. Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which
# it causes.
#
# ignore-no-store ignores any „Cache-control: no-store”
# headers received from a server. Doing this VIOLATES
# the HTTP standard. Enabling this feature could make you
# liable for problems which it causes.
#
# ignore-private ignores any „Cache-control: private”
# headers received from a server. Doing this VIOLATES
# the HTTP standard. Enabling this feature could make you
# liable for problems which it causes.
#
# refresh-ims causes squid to contact the origin server
# when a client issues an If-Modified-Since request. This
# ensures that the client will receive an updated version
# if one is available.
#
# store-stale stores responses even if they don’t have explicit
# freshness or a validator (i.e., Last-Modified or an ETag)
# present, or if they’re already stale. By default, Squid will
# not cache such responses because they usually can’t be
# reused. Note that such responses will be stale by default.
#
# max-stale=NN provide a maximum staleness factor. Squid won’t
# serve objects more stale than this even if it failed to
# validate the object. Default: use the max_stale global limit.
#
# Basically a cached object is:
#
# FRESH if expire > now, else STALE
# STALE if age > max
# FRESH if lm-factor < percent, else STALE
# FRESH if age < min
# else STALE
#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match the default will be used.
#
# Note, you must uncomment all the default lines if you want
# to change one. The default setting is only active if none is
# used.
#
#
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# TAG: quick_abort_min (KB)
#Default:
# quick_abort_min 16 KB
# TAG: quick_abort_max (KB)
#Default:
# quick_abort_max 16 KB
# TAG: quick_abort_pct (percent)
# The cache by default continues downloading aborted requests
# which are almost completed (less than 16 KB remaining). This
# may be undesirable on slow (e.g. SLIP) links and/or very busy
# caches. Impatient users may tie up file descriptors and
# bandwidth by repeatedly requesting and immediately aborting
# downloads.
#
# When the user aborts a request, Squid will check the
# quick_abort values to the amount of data transferred until
# then.
#
# If the transfer has less than ‘quick_abort_min’ KB remaining,
# it will finish the retrieval.
#
# If the transfer has more than ‘quick_abort_max’ KB remaining,
# it will abort the retrieval.
#
# If more than ‘quick_abort_pct’ of the transfer has completed,
# it will finish the retrieval.
#
# If you do not want any retrieval to continue after the client
# has aborted, set both ‘quick_abort_min’ and ‘quick_abort_max’
# to ‘0 KB’.
#
# If you want retrievals to always continue if they are being
# cached set ‘quick_abort_min’ to ‘-1 KB’.
#Default:
# quick_abort_pct 95
# TAG: read_ahead_gap buffer-size
# The amount of data the cache will buffer ahead of what has been
# sent to the client when retrieving an object from another server.
#Default:
# read_ahead_gap 16 KB
# TAG: negative_ttl time-units
# Set the Default Time-to-Live (TTL) for failed requests.
# Certain types of failures (such as „connection refused” and
# „404 Not Found”) are able to be negatively-cached for a short time.
# Modern web servers should provide Expires: header, however if they
# do not this can provide a minimum TTL.
# The default is not to cache errors with unknown expiry details.
#
# Note that this is different from negative caching of DNS lookups.
#
# WARNING: Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which it
# causes.
#Default:
# negative_ttl 0 seconds
# TAG: positive_dns_ttl time-units
# Upper limit on how long Squid will cache positive DNS responses.
# Default is 6 hours (360 minutes). This directive must be set
# larger than negative_dns_ttl.
#Default:
# positive_dns_ttl 6 hours
# TAG: negative_dns_ttl time-units
# Time-to-Live (TTL) for negative caching of failed DNS lookups.
# This also sets the lower cache limit on positive lookups.
# Minimum value is 1 second, and it is not recommendable to go
# much below 10 seconds.
#Default:
# negative_dns_ttl 1 minutes
# TAG: range_offset_limit size [acl acl…]
# usage: (size) [units] [[!]aclname]
#
# Sets an upper limit on how far (number of bytes) into the file
# a Range request may be to cause Squid to prefetch the whole file.
# If beyond this limit, Squid forwards the Range request as it is and
# the result is NOT cached.
#
# This is to stop a far ahead range request (lets say start at 17MB)
# from making Squid fetch the whole object up to that point before
# sending anything to the client.
#
# Multiple range_offset_limit lines may be specified, and they will
# be searched from top to bottom on each request until a match is found.
# The first match found will be used. If no line matches a request, the
# default limit of 0 bytes will be used.
#
# ‘size’ is the limit specified as a number of units.
#
# ‘units’ specifies whether to use bytes, KB, MB, etc.
# If no units are specified bytes are assumed.
#
# A size of 0 causes Squid to never fetch more than the
# client requested. (default)
#
# A size of ‘none’ causes Squid to always fetch the object from the
# beginning so it may cache the result. (2.0 style)
#
# ‘aclname’ is the name of a defined ACL.
#
# NP: Using ‘none’ as the byte value here will override any quick_abort settings
# that may otherwise apply to the range request. The range request will
# be fully fetched from start to finish regardless of the client
# actions. This affects bandwidth usage.
#Default:
# none
# TAG: minimum_expiry_time (seconds)
# The minimum caching time according to (Expires – Date)
# headers Squid honors if the object can’t be revalidated.
# The default is 60 seconds.
#
# In reverse proxy environments it might be desirable to honor
# shorter object lifetimes. It is most likely better to make
# your server return a meaningful Last-Modified header however.
#
# In ESI environments where page fragments often have short
# lifetimes, this will often be best set to 0.
#Default:
# minimum_expiry_time 60 seconds
# TAG: store_avg_object_size (bytes)
# Average object size, used to estimate number of objects your
# cache can hold. The default is 13 KB.
#
# This is used to pre-seed the cache index memory allocation to
# reduce expensive reallocate operations while handling clients
# traffic. Too-large values may result in memory allocation during
# peak traffic, too-small values will result in wasted memory.
#
# Check the cache manager ‘info’ report metrics for the real
# object sizes seen by your Squid before tuning this.
#Default:
# store_avg_object_size 13 KB
# TAG: store_objects_per_bucket
# Target number of objects per bucket in the store hash table.
# Lowering this value increases the total number of buckets and
# also the storage maintenance rate. The default is 20.
#Default:
# store_objects_per_bucket 20
# HTTP OPTIONS
# —————————————————————————–
# TAG: request_header_max_size (KB)
# This directives limits the header size of a received HTTP request
# (including request-line). Increasing this limit beyond its 64 KB default
# exposes certain old Squid code to various denial-of-service attacks. This
# limit also applies to received FTP commands.
#
# This limit has no direct affect on Squid memory consumption.
#
# Squid does not check this limit when sending requests.
#Default:
# request_header_max_size 64 KB
# TAG: reply_header_max_size (KB)
# This directives limits the header size of a received HTTP response
# (including status-line). Increasing this limit beyond its 64 KB default
# exposes certain old Squid code to various denial-of-service attacks. This
# limit also applies to FTP command responses.
#
# Squid also checks this limit when loading hit responses from disk cache.
#
# Squid does not check this limit when sending responses.
#Default:
# reply_header_max_size 64 KB
# TAG: request_body_max_size (bytes)
# This specifies the maximum size for an HTTP request body.
# In other words, the maximum size of a PUT/POST request.
# A user who attempts to send a request with a body larger
# than this limit receives an „Invalid Request” error message.
# If you set this parameter to a zero (the default), there will
# be no limit imposed.
#
# See also client_request_buffer_max_size for an alternative
# limitation on client uploads which can be configured.
#Default:
# No limit.
# TAG: client_request_buffer_max_size (bytes)
# This specifies the maximum buffer size of a client request.
# It prevents squid eating too much memory when somebody uploads
# a large file.
#Default:
# client_request_buffer_max_size 512 KB
# TAG: broken_posts
# A list of ACL elements which, if matched, causes Squid to send
# an extra CRLF pair after the body of a PUT/POST request.
#
# Some HTTP servers has broken implementations of PUT/POST,
# and rely on an extra CRLF pair sent by some WWW clients.
#
# Quote from RFC2616 section 4.1 on this matter:
#
# Note: certain buggy HTTP/1.0 client implementations generate an
# extra CRLF’s after a POST request. To restate what is explicitly
# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
# a request with an extra CRLF.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#Example:
# acl buggy_server url_regex ^http://….
# broken_posts allow buggy_server
#Default:
# Obey RFC 2616.
# TAG: adaptation_uses_indirect_client on|off
# Controls whether the indirect client IP address (instead of the direct
# client IP address) is passed to adaptation services.
#
# See also: follow_x_forwarded_for adaptation_send_client_ip
#Default:
# adaptation_uses_indirect_client on
# TAG: via on|off
# If set (default), Squid will include a Via header in requests and
# replies as required by RFC2616.
#Default:
# via on
# TAG: vary_ignore_expire on|off
# Many HTTP servers supporting Vary gives such objects
# immediate expiry time with no cache-control header
# when requested by a HTTP/1.0 client. This option
# enables Squid to ignore such expiry times until
# HTTP/1.1 is fully implemented.
#
# WARNING: If turned on this may eventually cause some
# varying objects not intended for caching to get cached.
#Default:
# vary_ignore_expire off
# TAG: request_entities
# Squid defaults to deny GET and HEAD requests with request entities,
# as the meaning of such requests are undefined in the HTTP standard
# even if not explicitly forbidden.
#
# Set this directive to on if you have clients which insists
# on sending request entities in GET or HEAD requests. But be warned
# that there is server software (both proxies and web servers) which
# can fail to properly process this kind of request which may make you
# vulnerable to cache pollution attacks if enabled.
#Default:
# request_entities off
# TAG: request_header_access
# Usage: request_header_access header_name allow|deny [!]aclname …
#
# WARNING: Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which it
# causes.
#
# This option replaces the old ‘anonymize_headers’ and the
# older ‘http_anonymizer’ option with something that is much
# more configurable. A list of ACLs for each header name allows
# removal of specific header fields under specific conditions.
#
# This option only applies to outgoing HTTP request headers (i.e.,
# headers sent by Squid to the next HTTP hop such as a cache peer
# or an origin server). The option has no effect during cache hit
# detection. The equivalent adaptation vectoring point in ICAP
# terminology is post-cache REQMOD.
#
# The option is applied to individual outgoing request header
# fields. For each request header field F, Squid uses the first
# qualifying sets of request_header_access rules:
#
# 1. Rules with header_name equal to F’s name.
# 2. Rules with header_name ‘Other’, provided F’s name is not
# on the hard-coded list of commonly used HTTP header names.
# 3. Rules with header_name ‘All’.
#
# Within that qualifying rule set, rule ACLs are checked as usual.
# If ACLs of an „allow” rule match, the header field is allowed to
# go through as is. If ACLs of a „deny” rule match, the header is
# removed and request_header_replace is then checked to identify
# if the removed header has a replacement. If no rules within the
# set have matching ACLs, the header field is left as is.
#
# For example, to achieve the same behavior as the old
# ‘http_anonymizer standard’ option, you should use:
#
# request_header_access From deny all
# request_header_access Referer deny all
# request_header_access User-Agent deny all
#
# Or, to reproduce the old ‘http_anonymizer paranoid’ feature
# you should use:
#
# request_header_access Authorization allow all
# request_header_access Proxy-Authorization allow all
# request_header_access Cache-Control allow all
# request_header_access Content-Length allow all
# request_header_access Content-Type allow all
# request_header_access Date allow all
# request_header_access Host allow all
# request_header_access If-Modified-Since allow all
# request_header_access Pragma allow all
# request_header_access Accept allow all
# request_header_access Accept-Charset allow all
# request_header_access Accept-Encoding allow all
# request_header_access Accept-Language allow all
# request_header_access Connection allow all
# request_header_access All deny all
#
# HTTP reply headers are controlled with the reply_header_access directive.
#
# By default, all headers are allowed (no anonymizing is performed).
#Default:
# No limits.
Vélemény, hozzászólás?