# TAG: reply_header_access
# Usage: reply_header_access header_name allow|deny [!]aclname …
#
# WARNING: Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which it
# causes.
#
# This option only applies to reply headers, i.e., from the
# server to the client.
#
# This is the same as request_header_access, but in the other
# direction. Please see request_header_access for detailed
# documentation.
#
# For example, to achieve the same behavior as the old
# ‘http_anonymizer standard’ option, you should use:
#
# reply_header_access Server deny all
# reply_header_access WWW-Authenticate deny all
# reply_header_access Link deny all
#
# Or, to reproduce the old ‘http_anonymizer paranoid’ feature
# you should use:
#
# reply_header_access Allow allow all
# reply_header_access WWW-Authenticate allow all
# reply_header_access Proxy-Authenticate allow all
# reply_header_access Cache-Control allow all
# reply_header_access Content-Encoding allow all
# reply_header_access Content-Length allow all
# reply_header_access Content-Type allow all
# reply_header_access Date allow all
# reply_header_access Expires allow all
# reply_header_access Last-Modified allow all
# reply_header_access Location allow all
# reply_header_access Pragma allow all
# reply_header_access Content-Language allow all
# reply_header_access Retry-After allow all
# reply_header_access Title allow all
# reply_header_access Content-Disposition allow all
# reply_header_access Connection allow all
# reply_header_access All deny all
#
# HTTP request headers are controlled with the request_header_access directive.
#
# By default, all headers are allowed (no anonymizing is
# performed).
#Default:
# No limits.
# TAG: request_header_replace
# Usage: request_header_replace header_name message
# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
#
# This option allows you to change the contents of headers
# denied with request_header_access above, by replacing them
# with some fixed string.
#
# This only applies to request headers, not reply headers.
#
# By default, headers are removed if denied.
#Default:
# none
# TAG: reply_header_replace
# Usage: reply_header_replace header_name message
# Example: reply_header_replace Server Foo/1.0
#
# This option allows you to change the contents of headers
# denied with reply_header_access above, by replacing them
# with some fixed string.
#
# This only applies to reply headers, not request headers.
#
# By default, headers are removed if denied.
#Default:
# none
# TAG: request_header_add
# Usage: request_header_add field-name field-value [ acl … ]
# Example: request_header_add X-Client-CA „CA=%ssl::>cert_issuer” all
#
# This option adds header fields to outgoing HTTP requests (i.e.,
# request headers sent by Squid to the next HTTP hop such as a
# cache peer or an origin server). The option has no effect during
# cache hit detection. The equivalent adaptation vectoring point
# in ICAP terminology is post-cache REQMOD.
#
# Field-name is a token specifying an HTTP header name. If a
# standard HTTP header name is used, Squid does not check whether
# the new header conflicts with any existing headers or violates
# HTTP rules. If the request to be modified already contains a
# field with the same name, the old field is preserved but the
# header field values are not merged.
#
# Field-value is either a token or a quoted string. If quoted
# string format is used, then the surrounding quotes are removed
# while escape sequences and %macros are processed.
#
# One or more Squid ACLs may be specified to restrict header
# injection to matching requests. As always in squid.conf, all
# ACLs in the ACL list must be satisfied for the insertion to
# happen. The request_header_add supports fast ACLs only.
#
# See also: reply_header_add.
#Default:
# none
# TAG: reply_header_add
# Usage: reply_header_add field-name field-value [ acl … ]
# Example: reply_header_add X-Client-CA „CA=%ssl::>cert_issuer” all
#
# This option adds header fields to outgoing HTTP responses (i.e., response
# headers delivered by Squid to the client). This option has no effect on
# cache hit detection. The equivalent adaptation vectoring point in
# ICAP terminology is post-cache RESPMOD. This option does not apply to
# successful CONNECT replies.
#
# Field-name is a token specifying an HTTP header name. If a
# standard HTTP header name is used, Squid does not check whether
# the new header conflicts with any existing headers or violates
# HTTP rules. If the response to be modified already contains a
# field with the same name, the old field is preserved but the
# header field values are not merged.
#
# Field-value is either a token or a quoted string. If quoted
# string format is used, then the surrounding quotes are removed
# while escape sequences and %macros are processed.
#
# One or more Squid ACLs may be specified to restrict header
# injection to matching responses. As always in squid.conf, all
# ACLs in the ACL list must be satisfied for the insertion to
# happen. The reply_header_add option supports fast ACLs only.
#
# See also: request_header_add.
#Default:
# none
# TAG: note
# This option used to log custom information about the master
# transaction. For example, an admin may configure Squid to log
# which „user group” the transaction belongs to, where „user group”
# will be determined based on a set of ACLs and not [just]
# authentication information.
# Values of key/value pairs can be logged using %{key}note macros:
#
# note key value acl …
# logformat myFormat … %{key}note …
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none
# TAG: relaxed_header_parser on|off|warn
# In the default „on” setting Squid accepts certain forms
# of non-compliant HTTP messages where it is unambiguous
# what the sending application intended even if the message
# is not correctly formatted. The messages is then normalized
# to the correct form when forwarded by Squid.
#
# If set to „warn” then a warning will be emitted in cache.log
# each time such HTTP error is encountered.
#
# If set to „off” then such HTTP errors will cause the request
# or response to be rejected.
#Default:
# relaxed_header_parser on
# TAG: collapsed_forwarding (on|off)
# This option controls whether Squid is allowed to merge multiple
# potentially cachable requests for the same URI before Squid knows
# whether the response is going to be cachable.
#
# When enabled, instead of forwarding each concurrent request for
# the same URL, Squid just sends the first of them. The other, so
# called „collapsed” requests, wait for the response to the first
# request and, if it happens to be cachable, use that response.
# Here, „concurrent requests” means „received after the first
# request headers were parsed and before the corresponding response
# headers were parsed”.
#
# This feature is disabled by default: enabling collapsed
# forwarding needlessly delays forwarding requests that look
# cachable (when they are collapsed) but then need to be forwarded
# individually anyway because they end up being for uncachable
# content. However, in some cases, such as acceleration of highly
# cachable content with periodic or grouped expiration times, the
# gains from collapsing [large volumes of simultaneous refresh
# requests] outweigh losses from such delays.
#
# Squid collapses two kinds of requests: regular client requests
# received on one of the listening ports and internal „cache
# revalidation” requests which are triggered by those regular
# requests hitting a stale cached object. Revalidation collapsing
# is currently disabled for Squid instances containing SMP-aware
# disk or memory caches and for Vary-controlled cached objects.
#Default:
# collapsed_forwarding off
# TAG: collapsed_forwarding_access
# Use this directive to restrict collapsed forwarding to a subset of
# eligible requests. The directive is checked for regular HTTP
# requests, internal revalidation requests, and HTCP/ICP requests.
#
# collapsed_forwarding_access allow|deny [!]aclname …
#
# This directive cannot force collapsing. It has no effect on
# collapsing unless collapsed_forwarding is ‘on’, and all other
# collapsing preconditions are satisfied.
#
# * A denied request will not collapse, and future transactions will
# not collapse on it (even if they are allowed to collapse).
#
# * An allowed request may collapse, or future transactions may
# collapse on it (provided they are allowed to collapse).
#
# This directive is evaluated before receiving HTTP response headers
# and without access to Squid-to-peer connection (if any).
#
# Only fast ACLs are supported.
#
# See also: collapsed_forwarding.
#Default:
# Requests may be collapsed if collapsed_forwarding is on.
# TAG: shared_transient_entries_limit (number of entries)
# This directive limits the size of a table used for sharing current
# transaction information among SMP workers. A table entry stores meta
# information about a single cache entry being delivered to Squid
# client(s) by one or more SMP workers. A single table entry consumes
# less than 128 shared memory bytes.
#
# The limit should be significantly larger than the number of
# concurrent non-collapsed cachable responses leaving Squid. For a
# cache that handles less than 5000 concurrent requests, the default
# setting of 16384 should be plenty.
#
# Using excessively large values wastes shared memory. Limiting the
# table size too much results in hash collisions, leading to lower hit
# ratio and missed SMP request collapsing opportunities: Transactions
# left without a table entry cannot cache their responses and are
# invisible to other concurrent requests for the same resource.
#
# A zero limit is allowed but unsupported. A positive small limit
# lowers hit ratio, but zero limit disables a lot of essential
# synchronization among SMP workers, leading to HTTP violations (e.g.,
# stale hit responses). It also disables shared collapsed forwarding:
# A worker becomes unable to collapse its requests on transactions in
# other workers, resulting in more trips to the origin server and more
# cache thrashing.
#Default:
# shared_transient_entries_limit 16384
# TIMEOUTS
# —————————————————————————–
# TAG: forward_timeout time-units
# This parameter specifies how long Squid should at most attempt in
# finding a forwarding path for the request before giving up.
#Default:
# forward_timeout 4 minutes
# TAG: connect_timeout time-units
# This parameter specifies how long to wait for the TCP connect to
# the requested server or peer to complete before Squid should
# attempt to find another path where to forward the request.
#Default:
# connect_timeout 1 minute
# TAG: peer_connect_timeout time-units
# This parameter specifies how long to wait for a pending TCP
# connection to a peer cache. The default is 30 seconds. You
# may also set different timeout values for individual neighbors
# with the ‘connect-timeout’ option on a ‘cache_peer’ line.
#Default:
# peer_connect_timeout 30 seconds
# TAG: read_timeout time-units
# Applied on peer server connections.
#
# After each successful read(), the timeout will be extended by this
# amount. If no data is read again after this amount of time,
# the request is aborted and logged with ERR_READ_TIMEOUT.
#
# The default is 15 minutes.
#Default:
# read_timeout 15 minutes
# TAG: write_timeout time-units
# This timeout is tracked for all connections that have data
# available for writing and are waiting for the socket to become
# ready. After each successful write, the timeout is extended by
# the configured amount. If Squid has data to write but the
# connection is not ready for the configured duration, the
# transaction associated with the connection is terminated. The
# default is 15 minutes.
#Default:
# write_timeout 15 minutes
# TAG: request_timeout
# How long to wait for complete HTTP request headers after initial
# connection establishment.
#Default:
# request_timeout 5 minutes
# TAG: request_start_timeout
# How long to wait for the first request byte after initial
# connection establishment.
#Default:
# request_start_timeout 5 minutes
# TAG: client_idle_pconn_timeout
# How long to wait for the next HTTP request on a persistent
# client connection after the previous request completes.
#Default:
# client_idle_pconn_timeout 2 minutes
# TAG: ftp_client_idle_timeout
# How long to wait for an FTP request on a connection to Squid ftp_port.
# Many FTP clients do not deal with idle connection closures well,
# necessitating a longer default timeout than client_idle_pconn_timeout
# used for incoming HTTP requests.
#Default:
# ftp_client_idle_timeout 30 minutes
# TAG: client_lifetime time-units
# The maximum amount of time a client (browser) is allowed to
# remain connected to the cache process. This protects the Cache
# from having a lot of sockets (and hence file descriptors) tied up
# in a CLOSE_WAIT state from remote clients that go away without
# properly shutting down (either because of a network failure or
# because of a poor client implementation). The default is one
# day, 1440 minutes.
#
# NOTE: The default value is intended to be much larger than any
# client would ever need to be connected to your cache. You
# should probably change client_lifetime only as a last resort.
# If you seem to have many client connections tying up
# filedescriptors, we recommend first tuning the read_timeout,
# request_timeout, persistent_request_timeout and quick_abort values.
#Default:
# client_lifetime 1 day
# TAG: pconn_lifetime time-units
# Desired maximum lifetime of a persistent connection.
# When set, Squid will close a now-idle persistent connection that
# exceeded configured lifetime instead of moving the connection into
# the idle connection pool (or equivalent). No effect on ongoing/active
# transactions. Connection lifetime is the time period from the
# connection acceptance or opening time until „now”.
#
# This limit is useful in environments with long-lived connections
# where Squid configuration or environmental factors change during a
# single connection lifetime. If unrestricted, some connections may
# last for hours and even days, ignoring those changes that should
# have affected their behavior or their existence.
#
# Currently, a new lifetime value supplied via Squid reconfiguration
# has no effect on already idle connections unless they become busy.
#
# When set to ‘0’ this limit is not used.
#Default:
# pconn_lifetime 0 seconds
# TAG: half_closed_clients
# Some clients may shutdown the sending side of their TCP
# connections, while leaving their receiving sides open. Sometimes,
# Squid can not tell the difference between a half-closed and a
# fully-closed TCP connection.
#
# By default, Squid will immediately close client connections when
# read(2) returns „no more data to read.”
#
# Change this option to ‘on’ and Squid will keep open connections
# until a read(2) or write(2) on the socket returns an error.
# This may show some benefits for reverse proxies. But if not
# it is recommended to leave OFF.
#Default:
# half_closed_clients off
# TAG: server_idle_pconn_timeout
# Timeout for idle persistent connections to servers and other
# proxies.
#Default:
# server_idle_pconn_timeout 1 minute
# TAG: ident_timeout
# Maximum time to wait for IDENT lookups to complete.
#
# If this is too high, and you enabled IDENT lookups from untrusted
# users, you might be susceptible to denial-of-service by having
# many ident requests going at once.
#Default:
# ident_timeout 10 seconds
# TAG: shutdown_lifetime time-units
# When SIGTERM or SIGHUP is received, the cache is put into
# „shutdown pending” mode until all active sockets are closed.
# This value is the lifetime to set for all open descriptors
# during shutdown mode. Any active clients after this many
# seconds will receive a ‘timeout’ message.
#Default:
# shutdown_lifetime 30 seconds
# ADMINISTRATIVE PARAMETERS
# —————————————————————————–
# TAG: cache_mgr
# Email-address of local cache manager who will receive
# mail if the cache dies. The default is „webmaster”.
#Default:
# cache_mgr webmaster
# TAG: mail_from
# From: email-address for mail sent when the cache dies.
# The default is to use ‘squid@unique_hostname’.
#
# See also: unique_hostname directive.
#Default:
# none
# TAG: mail_program
# Email program used to send mail if the cache dies.
# The default is „mail”. The specified program must comply
# with the standard Unix mail syntax:
# mail-program recipient < mailfile
#
# Optional command line options can be specified.
#Default:
# mail_program mail
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of proxy.
# see also; cache_effective_group
#Default:
# cache_effective_user proxy
cache_effective_user proxy
# TAG: cache_effective_group
# Squid sets the GID to the effective user’s default group ID
# (taken from the password file) and supplementary group list
# from the groups membership.
#
# If you want Squid to run with a specific GID regardless of
# the group memberships of the effective user then set this
# to the group (or GID) you want Squid to run as. When set
# all other group privileges of the effective user are ignored
# and only this GID is effective. If Squid is not started as
# root the user starting Squid MUST be member of the specified
# group.
#
# This option is not recommended by the Squid Team.
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
#Default:
# Use system group memberships of the cache_effective_user account
# TAG: httpd_suppress_version_string on|off
# Suppress Squid version string info in HTTP headers and HTML error pages.
#Default:
# httpd_suppress_version_string off
# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#Default:
# Automatically detect the system host name
# TAG: unique_hostname
# If you want to have multiple machines with the same
# ‘visible_hostname’ you must give each machine a different
# ‘unique_hostname’ so forwarding loops can be detected.
#Default:
# Copy the value from visible_hostname
# TAG: hostname_aliases
# A list of other DNS names your cache has.
#Default:
# none
# TAG: umask
# Minimum umask which should be enforced while the proxy
# is running, in addition to the umask set at startup.
#
# For a traditional octal representation of umasks, start
# your value with 0.
#Default:
# umask 027
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# —————————————————————————–
#
# This section contains parameters for the (optional) cache
# announcement service. This service is provided to help
# cache administrators locate one another in order to join or
# create cache hierarchies.
#
# An ‘announcement’ message is sent (via UDP) to the registration
# service by Squid. By default, the announcement message is NOT
# SENT unless you enable it with ‘announce_period’ below.
#
# The announcement message includes your hostname, plus the
# following information from this configuration file:
#
# http_port
# icp_port
# cache_mgr
#
# All current information is processed regularly and made
# available on the Web at http://www.ircache.net/Cache/Tracker/.
# TAG: announce_period
# This is how frequently to send cache announcements.
#
# To enable announcing your cache, just set an announce period.
#
# Example:
# announce_period 1 day
#Default:
# Announcement messages disabled.
# TAG: announce_host
# Set the hostname where announce registration messages will be sent.
#
# See also announce_port and announce_file
#Default:
# announce_host tracker.ircache.net
# TAG: announce_file
# The contents of this file will be included in the announce
# registration messages.
#Default:
# none
# TAG: announce_port
# Set the port where announce registration messages will be sent.
#
# See also announce_host and announce_file
#Default:
# announce_port 3131
# HTTPD-ACCELERATOR OPTIONS
# —————————————————————————–
# TAG: httpd_accel_surrogate_id
# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
# need an identification token to allow control targeting. Because
# a farm of surrogates may all perform the same tasks, they may share
# an identification token.
#
# When the surrogate is a reverse-proxy, this ID is also
# used as cdn-id for CDN-Loop detection (RFC 8586).
#Default:
# visible_hostname is used if no specific ID is set.
# TAG: http_accel_surrogate_remote on|off
# Remote surrogates (such as those in a CDN) honour the header
# „Surrogate-Control: no-store-remote”.
#
# Set this to on to have squid behave as a remote surrogate.
#Default:
# http_accel_surrogate_remote off
# TAG: esi_parser libxml2|expat
# Selects the XML parsing library to use when interpreting responses with
# Edge Side Includes.
#
# To disable ESI handling completely, ./configure Squid with –disable-esi.
#Default:
# Selects libxml2 if available at ./configure time or libexpat otherwise.
# DELAY POOL PARAMETERS
# —————————————————————————–
# TAG: delay_pools
# This represents the number of delay pools to be used. For example,
# if you have one class 2 delay pool and one class 3 delays pool, you
# have a total of 2 delay pools.
#
# See also delay_parameters, delay_class, delay_access for pool
# configuration details.
#Default:
# delay_pools 0
# TAG: delay_class
# This defines the class of each delay pool. There must be exactly one
# delay_class line for each delay pool. For example, to define two
# delay pools, one of class 2 and one of class 3, the settings above
# and here would be:
#
# Example:
# delay_pools 4 # 4 delay pools
# delay_class 1 2 # pool 1 is a class 2 pool
# delay_class 2 3 # pool 2 is a class 3 pool
# delay_class 3 4 # pool 3 is a class 4 pool
# delay_class 4 5 # pool 4 is a class 5 pool
#
# The delay pool classes are:
#
# class 1 Everything is limited by a single aggregate
# bucket.
#
# class 2 Everything is limited by a single aggregate
# bucket as well as an „individual” bucket chosen
# from bits 25 through 32 of the IPv4 address.
#
# class 3 Everything is limited by a single aggregate
# bucket as well as a „network” bucket chosen
# from bits 17 through 24 of the IP address and a
# „individual” bucket chosen from bits 17 through
# 32 of the IPv4 address.
#
# class 4 Everything in a class 3 delay pool, with an
# additional limit on a per user basis. This
# only takes effect if the username is established
# in advance – by forcing authentication in your
# http_access rules.
#
# class 5 Requests are grouped according their tag (see
# external_acl’s tag= reply).
#
#
# Each pool also requires a delay_parameters directive to configure the pool size
# and speed limits used whenever the pool is applied to a request. Along with
# a set of delay_access directives to determine when it is used.
#
# NOTE: If an IP address is a.b.c.d
# -> bits 25 through 32 are „d”
# -> bits 17 through 24 are „c”
# -> bits 17 through 32 are „c * 256 + d”
#
# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
# See also delay_parameters and delay_access.
#Default:
# none
# TAG: delay_access
# This is used to determine which delay pool a request falls into.
#
# delay_access is sorted per pool and the matching starts with pool 1,
# then pool 2, …, and finally pool N. The first delay pool where the
# request is allowed is selected for the request. If it does not allow
# the request to any pool then the request is not delayed (default).
#
# For example, if you want some_big_clients in delay
# pool 1 and lotsa_little_clients in delay pool 2:
#
# delay_access 1 allow some_big_clients
# delay_access 1 deny all
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
# delay_access 3 allow authenticated_clients
#
# See also delay_parameters and delay_class.
#
#Default:
# Deny using the pool, unless allow rules exist in squid.conf for the pool.
# TAG: delay_parameters
# This defines the parameters for a delay pool. Each delay pool has
# a number of „buckets” associated with it, as explained in the
# description of delay_class.
#
# For a class 1 delay pool, the syntax is:
# delay_class pool 1
# delay_parameters pool aggregate
#
# For a class 2 delay pool:
# delay_class pool 2
# delay_parameters pool aggregate individual
#
# For a class 3 delay pool:
# delay_class pool 3
# delay_parameters pool aggregate network individual
#
# For a class 4 delay pool:
# delay_class pool 4
# delay_parameters pool aggregate network individual user
#
# For a class 5 delay pool:
# delay_class pool 5
# delay_parameters pool tagrate
#
# The option variables are:
#
# pool a pool number – ie, a number between 1 and the
# number specified in delay_pools as used in
# delay_class lines.
#
# aggregate the speed limit parameters for the aggregate bucket
# (class 1, 2, 3).
#
# individual the speed limit parameters for the individual
# buckets (class 2, 3).
#
# network the speed limit parameters for the network buckets
# (class 3).
#
# user the speed limit parameters for the user buckets
# (class 4).
#
# tagrate the speed limit parameters for the tag buckets
# (class 5).
#
# A pair of delay parameters is written restore/maximum, where restore is
# the number of bytes (not bits – modem and network speeds are usually
# quoted in bits) per second placed into the bucket, and maximum is the
# maximum number of bytes which can be in the bucket at any time.
#
# There must be one delay_parameters line for each delay pool.
#
#
# For example, if delay pool number 1 is a class 2 delay pool as in the
# above example, and is being used to strictly limit each host to 64Kbit/sec
# (plus overheads), with no overall limit, the line is:
#
# delay_parameters 1 none 8000/8000
#
# Note that 8 x 8K Byte/sec -> 64K bit/sec.
#
# Note that the word ‘none’ is used to represent no limit.
#
#
# And, if delay pool number 2 is a class 3 delay pool as in the above
# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
# to permit a decent web page to be downloaded at a decent speed
# (if the network is not being limited due to overuse) but slow down
# large downloads more significantly:
#
# delay_parameters 2 32000/32000 8000/8000 600/8000
#
# Note that 8 x 32K Byte/sec -> 256K bit/sec.
# 8 x 8K Byte/sec -> 64K bit/sec.
# 8 x 600 Byte/sec -> 4800 bit/sec.
#
#
# Finally, for a class 4 delay pool as in the example – each user will
# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
#
# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
#
#
# See also delay_class and delay_access.
#
#Default:
# none
# TAG: delay_initial_bucket_level (percent, 0-100)
# The initial bucket percentage is used to determine how much is put
# in each bucket when squid starts, is reconfigured, or first notices
# a host accessing it (in class 2 and class 3, individual hosts and
# networks only have buckets associated with them once they have been
# „seen” by squid).
#Default:
# delay_initial_bucket_level 50
# CLIENT DELAY POOL PARAMETERS
# —————————————————————————–
# TAG: client_delay_pools
# This option specifies the number of client delay pools used. It must
# preceed other client_delay_* options.
#
# Example:
# client_delay_pools 2
#
# See also client_delay_parameters and client_delay_access.
#Default:
# client_delay_pools 0
# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
# This option determines the initial bucket size as a percentage of
# max_bucket_size from client_delay_parameters. Buckets are created
# at the time of the „first” connection from the matching IP. Idle
# buckets are periodically deleted up.
#
# You can specify more than 100 percent but note that such „oversized”
# buckets are not refilled until their size goes down to max_bucket_size
# from client_delay_parameters.
#
# Example:
# client_delay_initial_bucket_level 50
#Default:
# client_delay_initial_bucket_level 50
# TAG: client_delay_parameters
#
# This option configures client-side bandwidth limits using the
# following format:
#
# client_delay_parameters pool speed_limit max_bucket_size
#
# pool is an integer ID used for client_delay_access matching.
#
# speed_limit is bytes added to the bucket per second.
#
# max_bucket_size is the maximum size of a bucket, enforced after any
# speed_limit additions.
#
# Please see the delay_parameters option for more information and
# examples.
#
# Example:
# client_delay_parameters 1 1024 2048
# client_delay_parameters 2 51200 16384
#
# See also client_delay_access.
#
#Default:
# none
# TAG: client_delay_access
# This option determines the client-side delay pool for the
# request:
#
# client_delay_access pool_ID allow|deny acl_name
#
# All client_delay_access options are checked in their pool ID
# order, starting with pool 1. The first checked pool with allowed
# request is selected for the request. If no ACL matches or there
# are no client_delay_access options, the request bandwidth is not
# limited.
#
# The ACL-selected pool is then used to find the
# client_delay_parameters for the request. Client-side pools are
# not used to aggregate clients. Clients are always aggregated
# based on their source IP addresses (one bucket per source IP).
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
# Additionally, only the client TCP connection details are available.
# ACLs testing HTTP properties will not work.
#
# Please see delay_access for more examples.
#
# Example:
# client_delay_access 1 allow low_rate_network
# client_delay_access 2 allow vips_network
#
#
# See also client_delay_parameters and client_delay_pools.
#Default:
# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
# TAG: response_delay_pool
# This option configures client response bandwidth limits using the
# following format:
#
# response_delay_pool name [option=value] …
#
# name the response delay pool name
#
# available options:
#
# individual-restore The speed limit of an individual
# bucket(bytes/s). To be used in conjunction
# with ‘individual-maximum’.
#
# individual-maximum The maximum number of bytes which can
# be placed into the individual bucket. To be used
# in conjunction with ‘individual-restore’.
#
# aggregate-restore The speed limit for the aggregate
# bucket(bytes/s). To be used in conjunction with
# ‘aggregate-maximum’.
#
# aggregate-maximum The maximum number of bytes which can
# be placed into the aggregate bucket. To be used
# in conjunction with ‘aggregate-restore’.
#
# initial-bucket-level The initial bucket size as a percentage
# of individual-maximum.
#
# Individual and(or) aggregate bucket options may not be specified,
# meaning no individual and(or) aggregate speed limitation.
# See also response_delay_pool_access and delay_parameters for
# terminology details.
#Default:
# none
# TAG: response_delay_pool_access
# Determines whether a specific named response delay pool is used
# for the transaction. The syntax for this directive is:
#
# response_delay_pool_access pool_name allow|deny acl_name
#
# All response_delay_pool_access options are checked in the order
# they appear in this configuration file. The first rule with a
# matching ACL wins. If (and only if) an „allow” rule won, Squid
# assigns the response to the corresponding named delay pool.
#Default:
# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# —————————————————————————–
# TAG: wccp_router
# Use this option to define your WCCP „home” router for
# Squid.
#
# wccp_router supports a single WCCP(v1) router
#
# wccp2_router supports multiple WCCPv2 routers
#
# only one of the two may be used at the same time and defines
# which version of WCCP to use.
#Default:
# WCCP disabled.
# TAG: wccp2_router
# Use this option to define your WCCP „home” router for
# Squid.
#
# wccp_router supports a single WCCP(v1) router
#
# wccp2_router supports multiple WCCPv2 routers
#
# only one of the two may be used at the same time and defines
# which version of WCCP to use.
#Default:
# WCCPv2 disabled.
# TAG: wccp_version
# This directive is only relevant if you need to set up WCCP(v1)
# to some very old and end-of-life Cisco routers. In all other
# setups it must be left unset or at the default setting.
# It defines an internal version in the WCCP(v1) protocol,
# with version 4 being the officially documented protocol.
#
# According to some users, Cisco IOS 11.2 and earlier only
# support WCCP version 3. If you’re using that or an earlier
# version of IOS, you may need to change this value to 3, otherwise
# do not specify this parameter.
#Default:
# wccp_version 4
# TAG: wccp2_rebuild_wait
# If this is enabled Squid will wait for the cache dir rebuild to finish
# before sending the first wccp2 HereIAm packet
#Default:
# wccp2_rebuild_wait on
# TAG: wccp2_forwarding_method
# WCCP2 allows the setting of forwarding methods between the
# router/switch and the cache. Valid values are as follows:
#
# gre – GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
# l2 – L2 redirect (forward the packet using Layer 2/MAC rewriting)
#
# Currently (as of IOS 12.4) cisco routers only support GRE.
# Cisco switches only support the L2 redirect assignment method.
#Default:
# wccp2_forwarding_method gre
# TAG: wccp2_return_method
# WCCP2 allows the setting of return methods between the
# router/switch and the cache for packets that the cache
# decides not to handle. Valid values are as follows:
#
# gre – GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
# l2 – L2 redirect (forward the packet using Layer 2/MAC rewriting)
#
# Currently (as of IOS 12.4) cisco routers only support GRE.
# Cisco switches only support the L2 redirect assignment.
#
# If the „ip wccp redirect exclude in” command has been
# enabled on the cache interface, then it is still safe for
# the proxy server to use a l2 redirect method even if this
# option is set to GRE.
#Default:
# wccp2_return_method gre
# TAG: wccp2_assignment_method
# WCCP2 allows the setting of methods to assign the WCCP hash
# Valid values are as follows:
#
# hash – Hash assignment
# mask – Mask assignment
#
# As a general rule, cisco routers support the hash assignment method
# and cisco switches support the mask assignment method.
#Default:
# wccp2_assignment_method hash
# TAG: wccp2_service
# WCCP2 allows for multiple traffic services. There are two
# types: „standard” and „dynamic”. The standard type defines
# one service id – http (id 0). The dynamic service ids can be from
# 51 to 255 inclusive. In order to use a dynamic service id
# one must define the type of traffic to be redirected; this is done
# using the wccp2_service_info option.
#
# The „standard” type does not require a wccp2_service_info option,
# just specifying the service id will suffice.
#
# MD5 service authentication can be enabled by adding
# „password=<password>” to the end of this service declaration.
#
# Examples:
#
# wccp2_service standard 0 # for the ‘web-cache’ standard service
# wccp2_service dynamic 80 # a dynamic service type which will be
# # fleshed out with subsequent options.
# wccp2_service standard 0 password=foo
#Default:
# Use the ‘web-cache’ standard service.
# TAG: wccp2_service_info
# Dynamic WCCPv2 services require further information to define the
# traffic you wish to have diverted.
#
# The format is:
#
# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
# priority=<priority> ports=<port>,<port>..
#
# The relevant WCCPv2 flags:
# + src_ip_hash, dst_ip_hash
# + source_port_hash, dst_port_hash
# + src_ip_alt_hash, dst_ip_alt_hash
# + src_port_alt_hash, dst_port_alt_hash
# + ports_source
#
# The port list can be one to eight entries.
#
# Example:
#
# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
# priority=240 ports=80
#
# Note: the service id must have been defined by a previous
# ‘wccp2_service dynamic <id>’ entry.
#Default:
# none
# TAG: wccp2_weight
# Each cache server gets assigned a set of the destination
# hash proportional to their weight.
#Default:
# wccp2_weight 10000
# TAG: wccp_address
# Use this option if you require WCCP(v1) to use a specific
# interface address.
#
# The default behavior is to not bind to any specific address.
#Default:
# Address selected by the operating system.
# TAG: wccp2_address
# Use this option if you require WCCPv2 to use a specific
# interface address.
#
# The default behavior is to not bind to any specific address.
#Default:
# Address selected by the operating system.
# PERSISTENT CONNECTION HANDLING
# —————————————————————————–
#
# Also see „pconn_timeout” in the TIMEOUTS section
# TAG: client_persistent_connections
# Persistent connection support for clients.
# Squid uses persistent connections (when allowed). You can use
# this option to disable persistent connections with clients.
#Default:
# client_persistent_connections on
# TAG: server_persistent_connections
# Persistent connection support for servers.
# Squid uses persistent connections (when allowed). You can use
# this option to disable persistent connections with servers.
#Default:
# server_persistent_connections on
# TAG: persistent_connection_after_error
# With this directive the use of persistent connections after
# HTTP errors can be disabled. Useful if you have clients
# who fail to handle errors on persistent connections proper.
#Default:
# persistent_connection_after_error on
# TAG: detect_broken_pconn
# Some servers have been found to incorrectly signal the use
# of HTTP/1.0 persistent connections even on replies not
# compatible, causing significant delays. This server problem
# has mostly been seen on redirects.
#
# By enabling this directive Squid attempts to detect such
# broken replies and automatically assume the reply is finished
# after 10 seconds timeout.
#Default:
# detect_broken_pconn off
# CACHE DIGEST OPTIONS
# —————————————————————————–
# TAG: digest_generation
# This controls whether the server will generate a Cache Digest
# of its contents. By default, Cache Digest generation is
# enabled if Squid is compiled with –enable-cache-digests defined.
#Default:
# digest_generation on
# TAG: digest_bits_per_entry
# This is the number of bits of the server’s Cache Digest which
# will be associated with the Digest entry for a given HTTP
# Method and URL (public key) combination. The default is 5.
#Default:
# digest_bits_per_entry 5
# TAG: digest_rebuild_period (seconds)
# This is the wait time between Cache Digest rebuilds.
#Default:
# digest_rebuild_period 1 hour
# TAG: digest_rewrite_period (seconds)
# This is the wait time between Cache Digest writes to
# disk.
#Default:
# digest_rewrite_period 1 hour
# TAG: digest_swapout_chunk_size (bytes)
# This is the number of bytes of the Cache Digest to write to
# disk at a time. It defaults to 4096 bytes (4KB), the Squid
# default swap page.
#Default:
# digest_swapout_chunk_size 4096 bytes
# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
# This is the percentage of the Cache Digest to be scanned at a
# time. By default it is set to 10% of the Cache Digest.
#Default:
# digest_rebuild_chunk_percentage 10
# SNMP OPTIONS
# —————————————————————————–
# TAG: snmp_port
# The port number where Squid listens for SNMP requests. To enable
# SNMP support set this to a suitable port number. Port number
# 3401 is often used for the Squid SNMP agent. By default it’s
# set to „0” (disabled)
#
# Example:
# snmp_port 3401
#Default:
# SNMP disabled.
# TAG: snmp_access
# Allowing or denying access to the SNMP port.
#
# All access to the agent is denied by default.
# usage:
#
# snmp_access allow|deny [!]aclname …
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#Example:
# snmp_access allow snmppublic localhost
# snmp_access deny all
#Default:
# Deny, unless rules exist in squid.conf.
# TAG: snmp_incoming_address
# Just like ‘udp_incoming_address’, but for the SNMP port.
#
# snmp_incoming_address is used for the SNMP socket receiving
# messages from SNMP agents.
#
# The default snmp_incoming_address is to listen on all
# available network interfaces.
#Default:
# Accept SNMP packets from all machine interfaces.
# TAG: snmp_outgoing_address
# Just like ‘udp_outgoing_address’, but for the SNMP port.
#
# snmp_outgoing_address is used for SNMP packets returned to SNMP
# agents.
#
# If snmp_outgoing_address is not set it will use the same socket
# as snmp_incoming_address. Only change this if you want to have
# SNMP replies sent using another address than where this Squid
# listens for SNMP queries.
#
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
# the same value since they both use the same port.
#Default:
# Use snmp_incoming_address or an address selected by the operating system.
# ICP OPTIONS
# —————————————————————————–
# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. The standard UDP port for ICP is 3130.
#
# Example:
# icp_port 3130
#Default:
# ICP disabled.
# TAG: htcp_port
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. To turn it on you want to set it to
# 4827.
#
# Example:
# htcp_port 4827
#Default:
# HTCP disabled.
# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. You may wish
# do disable this if your ICP load is VERY high to speed things
# up or to simplify log analysis.
#Default:
# log_icp_queries on
# TAG: udp_incoming_address
# udp_incoming_address is used for UDP packets received from other
# caches.
#
# The default behavior is to not bind to any specific address.
#
# Only change this if you want to have all UDP queries received on
# a specific interface/address.
#
# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
# modules. Altering it will affect all of them in the same manner.
#
# see also; udp_outgoing_address
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
#Default:
# Accept packets from all machine interfaces.
# TAG: udp_outgoing_address
# udp_outgoing_address is used for UDP packets sent out to other
# caches.
#
# The default behavior is to not bind to any specific address.
#
# Instead it will use the same socket as udp_incoming_address.
# Only change this if you want to have UDP queries sent using another
# address than where this Squid listens for UDP queries from other
# caches.
#
# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
# modules. Altering it will affect all of them in the same manner.
#
# see also; udp_incoming_address
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
#Default:
# Use udp_incoming_address or an address selected by the operating system.
# TAG: icp_hit_stale on|off
# If you want to return ICP_HIT for stale cache objects, set this
# option to ‘on’. If you have sibling relationships with caches
# in other administrative domains, this should be ‘off’. If you only
# have sibling relationships with caches under your control,
# it is probably okay to set this to ‘on’.
# If set to ‘on’, your siblings should use the option „allow-miss”
# on their cache_peer lines for connecting to you.
#Default:
# icp_hit_stale off
# TAG: minimum_direct_hops
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many hops away.
#Default:
# minimum_direct_hops 4
# TAG: minimum_direct_rtt (msec)
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many rtt milliseconds away.
#Default:
# minimum_direct_rtt 400
# TAG: netdb_low
# The low water mark for the ICMP measurement database.
#
# Note: high watermark controlled by netdb_high directive.
#
# These watermarks are counts, not percents. The defaults are
# (low) 900 and (high) 1000. When the high water mark is
# reached, database entries will be deleted until the low
# mark is reached.
#Default:
# netdb_low 900
# TAG: netdb_high
# The high water mark for the ICMP measurement database.
#
# Note: low watermark controlled by netdb_low directive.
#
# These watermarks are counts, not percents. The defaults are
# (low) 900 and (high) 1000. When the high water mark is
# reached, database entries will be deleted until the low
# mark is reached.
#Default:
# netdb_high 1000
# TAG: netdb_ping_period
# The minimum period for measuring a site. There will be at
# least this much delay between successive pings to the same
# network. The default is five minutes.
#Default:
# netdb_ping_period 5 minutes
# TAG: query_icmp on|off
# If you want to ask your peers to include ICMP data in their ICP
# replies, enable this option.
#
# If your peer has configured Squid (during compilation) with
# ‘–enable-icmp’ that peer will send ICMP pings to origin server
# sites of the URLs it receives. If you enable this option the
# ICP replies from that peer will include the ICMP data (if available).
# Then, when choosing a parent cache, Squid will choose the parent with
# the minimal RTT to the origin server. When this happens, the
# hierarchy field of the access.log will be
# „CLOSEST_PARENT_MISS”. This option is off by default.
#Default:
# query_icmp off
# TAG: test_reachability on|off
# When this is ‘on’, ICP MISS replies will be ICP_MISS_NOFETCH
# instead of ICP_MISS if the target host is NOT in the ICMP
# database, or has a zero RTT.
#Default:
# test_reachability off
# TAG: icp_query_timeout (msec)
# Normally Squid will automatically determine an optimal ICP
# query timeout value based on the round-trip-time of recent ICP
# queries. If you want to override the value determined by
# Squid, set this ‘icp_query_timeout’ to a non-zero value. This
# value is specified in MILLISECONDS, so, to use a 2-second
# timeout (the old default), you would write:
#
# icp_query_timeout 2000
#Default:
# Dynamic detection.
# TAG: maximum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
# sometimes it can lead to very large values (say 5 seconds).
# Use this option to put an upper limit on the dynamic timeout
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# ‘icp_query_timeout’ directive.
#Default:
# maximum_icp_query_timeout 2000
# TAG: minimum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
# sometimes it can lead to very small timeouts, even lower than
# the normal latency variance on your link due to traffic.
# Use this option to put an lower limit on the dynamic timeout
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# ‘icp_query_timeout’ directive.
#Default:
# minimum_icp_query_timeout 5
# TAG: background_ping_rate time-units
# Controls how often the ICP pings are sent to siblings that
# have background-ping set.
#Default:
# background_ping_rate 10 seconds
# MULTICAST ICP OPTIONS
# —————————————————————————–
# TAG: mcast_groups
# This tag specifies a list of multicast groups which your server
# should join to receive multicasted ICP queries.
#
# NOTE! Be very careful what you put here! Be sure you
# understand the difference between an ICP _query_ and an ICP
# _reply_. This option is to be set only if you want to RECEIVE
# multicast queries. Do NOT set this option to SEND multicast
# ICP (use cache_peer for that). ICP replies are always sent via
# unicast, so this option does not affect whether or not you will
# receive replies from multicast group members.
#
# You must be very careful to NOT use a multicast address which
# is already in use by another group of caches.
#
# If you are unsure about multicast, please read the Multicast
# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
#
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, Squid doesn’t listen on any multicast groups.
#Default:
# none
# TAG: mcast_miss_addr
# Note: This option is only available if Squid is rebuilt with the
# -DMULTICAST_MISS_STREAM define
#
# If you enable this option, every „cache miss” URL will
# be sent out on the specified multicast address.
#
# Do not enable this option unless you are are absolutely
# certain you understand what you are doing.
#Default:
# disabled.
# TAG: mcast_miss_ttl
# Note: This option is only available if Squid is rebuilt with the
# -DMULTICAST_MISS_STREAM define
#
# This is the time-to-live value for packets multicasted
# when multicasting off cache miss URLs is enabled. By
# default this is set to ‘site scope’, i.e. 16.
#Default:
# mcast_miss_ttl 16
# TAG: mcast_miss_port
# Note: This option is only available if Squid is rebuilt with the
# -DMULTICAST_MISS_STREAM define
#
# This is the port number to be used in conjunction with
# ‘mcast_miss_addr’.
#Default:
# mcast_miss_port 3135
# TAG: mcast_miss_encode_key
# Note: This option is only available if Squid is rebuilt with the
# -DMULTICAST_MISS_STREAM define
#
# The URLs that are sent in the multicast miss stream are
# encrypted. This is the encryption key.
#Default:
# mcast_miss_encode_key XXXXXXXXXXXXXXXX
# TAG: mcast_icp_query_timeout (msec)
# For multicast peers, Squid regularly sends out ICP „probes” to
# count how many other peers are listening on the given multicast
# address. This value specifies how long Squid should wait to
# count all the replies. The default is 2000 msec, or 2
# seconds.
#Default:
# mcast_icp_query_timeout 2000
# INTERNAL ICON OPTIONS
# —————————————————————————–
# TAG: icon_directory
# Where the icons are stored. These are normally kept in
# /usr/share/squid/icons
#Default:
# icon_directory /usr/share/squid/icons
# TAG: global_internal_static
# This directive controls is Squid should intercept all requests for
# /squid-internal-static/ no matter which host the URL is requesting
# (default on setting), or if nothing special should be done for
# such URLs (off setting). The purpose of this directive is to make
# icons etc work better in complex cache hierarchies where it may
# not always be possible for all corners in the cache mesh to reach
# the server generating a directory listing.
#Default:
# global_internal_static on
# TAG: short_icon_urls
# If this is enabled Squid will use short URLs for icons.
# If disabled it will revert to the old behavior of including
# it’s own name and port in the URL.
#
# If you run a complex cache hierarchy with a mix of Squid and
# other proxies you may need to disable this directive.
#Default:
# short_icon_urls on
# ERROR PAGE OPTIONS
# —————————————————————————–
# TAG: error_directory
# If you wish to create your own versions of the default
# error files to customize them to suit your company copy
# the error/template files to another directory and point
# this tag at them.
#
# WARNING: This option will disable multi-language support
# on error pages if used.
#
# The squid developers are interested in making squid available in
# a wide variety of languages. If you are making translations for a
# language that Squid does not currently provide please consider
# contributing your translation back to the project.
# http://wiki.squid-cache.org/Translations
#
# The squid developers working on translations are happy to supply drop-in
# translated error files in exchange for any new language contributions.
#Default:
# Send error pages in the clients preferred language
# TAG: error_default_language
# Set the default language which squid will send error pages in
# if no existing translation matches the clients language
# preferences.
#
# If unset (default) generic English will be used.
#
# The squid developers are interested in making squid available in
# a wide variety of languages. If you are interested in making
# translations for any language see the squid wiki for details.
# http://wiki.squid-cache.org/Translations
#Default:
# Generate English language pages.
# TAG: error_log_languages
# Log to cache.log what languages users are attempting to
# auto-negotiate for translations.
#
# Successful negotiations are not logged. Only failures
# have meaning to indicate that Squid may need an upgrade
# of its error page translations.
#Default:
# error_log_languages on
# TAG: err_page_stylesheet
# CSS Stylesheet to pattern the display of Squid default error pages.
#
# For information on CSS see http://www.w3.org/Style/CSS/
#Default:
# err_page_stylesheet /etc/squid/errorpage.css
# TAG: err_html_text
# HTML text to include in error messages. Make this a „mailto”
# URL to your admin address, or maybe just a link to your
# organizations Web page.
#
# To include this in your error messages, you must rewrite
# the error template files (found in the „errors” directory).
# Wherever you want the ‘err_html_text’ line to appear,
# insert a %L tag in the error template file.
#Default:
# none
# TAG: email_err_data on|off
# If enabled, information about the occurred error will be
# included in the mailto links of the ERR pages (if %W is set)
# so that the email body contains the data.
# Syntax is <A HREF=”mailto:%w%W”>%w</A>
#Default:
# email_err_data on
# TAG: deny_info
# Usage: deny_info err_page_name acl
# or deny_info http://… acl
# or deny_info TCP_RESET acl
#
# This can be used to return a ERR_ page for requests which
# do not pass the ‘http_access’ rules. Squid remembers the last
# acl it evaluated in http_access, and if a ‘deny_info’ line exists
# for that ACL Squid returns a corresponding error page.
#
# The acl is typically the last acl on the http_access deny line which
# denied access. The exceptions to this rule are:
# – When Squid needs to request authentication credentials. It’s then
# the first authentication related acl encountered
# – When none of the http_access lines matches. It’s then the last
# acl processed on the last http_access line.
# – When the decision to deny access was made by an adaptation service,
# the acl name is the corresponding eCAP or ICAP service_name.
#
# NP: If providing your own custom error pages with error_directory
# you may also specify them by your custom file name:
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# By defaut Squid will send „403 Forbidden”. A different 4xx or 5xx
# may be specified by prefixing the file name with the code and a colon.
# e.g. 404:ERR_CUSTOM_ACCESS_DENIED
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
#
# Or you can specify an error URL or URL pattern. The browsers will
# get redirected to the specified URL after formatting tags have
# been replaced. Redirect will be done with 302 or 307 according to
# HTTP/1.1 specs. A different 3xx code may be specified by prefixing
# the URL. e.g. 303:http://example.com/
#
# URL FORMAT TAGS:
# %a – username (if available. Password NOT included)
# %A – Local listening IP address the client connection was connected to
# %B – FTP path URL
# %e – Error number
# %E – Error description
# %h – Squid hostname
# %H – Request domain name
# %i – Client IP Address
# %M – Request Method
# %O – Unescaped message result from external ACL helper
# %o – Message result from external ACL helper
# %p – Request Port number
# %P – Request Protocol name
# %R – Request URL path
# %T – Timestamp in RFC 1123 format
# %U – Full canonical URL from client
# (HTTPS URLs terminate with *)
# %u – Full canonical URL from client
# %w – Admin email from squid.conf
# %x – Error name
# %% – Literal percent (%) code
#
#Default:
# none
# OPTIONS INFLUENCING REQUEST FORWARDING
# —————————————————————————–
# TAG: nonhierarchical_direct
# By default, Squid will send any non-hierarchical requests
# (not cacheable request type) direct to origin servers.
#
# When this is set to „off”, Squid will prefer to send these
# requests to parents.
#
# Note that in most configurations, by turning this off you will only
# add latency to these request without any improvement in global hit
# ratio.
#
# This option only sets a preference. If the parent is unavailable a
# direct connection to the origin server may still be attempted. To
# completely prevent direct connections use never_direct.
#Default:
# nonhierarchical_direct on
# TAG: prefer_direct
# Normally Squid tries to use parents for most requests. If you for some
# reason like it to first try going direct and only use a parent if
# going direct fails set this to on.
#
# By combining nonhierarchical_direct off and prefer_direct on you
# can set up Squid to use a parent as a backup path if going direct
# fails.
#
# Note: If you want Squid to use parents for all requests see
# the never_direct directive. prefer_direct only modifies how Squid
# acts on cacheable requests.
#Default:
# prefer_direct off
# TAG: cache_miss_revalidate on|off
# RFC 7232 defines a conditional request mechanism to prevent
# response objects being unnecessarily transferred over the network.
# If that mechanism is used by the client and a cache MISS occurs
# it can prevent new cache entries being created.
#
# This option determines whether Squid on cache MISS will pass the
# client revalidation request to the server or tries to fetch new
# content for caching. It can be useful while the cache is mostly
# empty to more quickly have the cache populated by generating
# non-conditional GETs.
#
# When set to ‘on’ (default), Squid will pass all client If-* headers
# to the server. This permits server responses without a cacheable
# payload to be delivered and on MISS no new cache entry is created.
#
# When set to ‘off’ and if the request is cacheable, Squid will
# remove the clients If-Modified-Since and If-None-Match headers from
# the request sent to the server. This requests a 200 status response
# from the server to create a new cache entry with.
#Default:
# cache_miss_revalidate on
# TAG: always_direct
# Usage: always_direct allow|deny [!]aclname …
#
# Here you can use ACL elements to specify requests which should
# ALWAYS be forwarded by Squid to the origin servers without using
# any peers. For example, to always directly forward requests for
# local servers ignoring any parents or siblings you may have use
# something like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# To always forward FTP requests directly, use
#
# acl FTP proto FTP
# always_direct allow FTP
#
# NOTE: There is a similar, but opposite option named
# ‘never_direct’. You need to be aware that „always_direct deny
# foo” is NOT the same thing as „never_direct allow foo”. You
# may need to use a deny rule to exclude a more-specific case of
# some other rule. Example:
#
# acl local-external dstdomain external.foo.net
# acl local-servers dstdomain .foo.net
# always_direct deny local-external
# always_direct allow local-servers
#
# NOTE: If your goal is to make the client forward the request
# directly to the origin server bypassing Squid then this needs
# to be done in the client configuration. Squid configuration
# can only tell Squid how Squid should fetch the object.
#
# NOTE: This directive is not related to caching. The replies
# is cached as usual even if you use always_direct. To not cache
# the replies see the ‘cache’ directive.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# Prevent any cache_peer being used for this request.
# TAG: never_direct
# Usage: never_direct allow|deny [!]aclname …
#
# never_direct is the opposite of always_direct. Please read
# the description for always_direct if you have not already.
#
# With ‘never_direct’ you can use ACL elements to specify
# requests which should NEVER be forwarded directly to origin
# servers. For example, to force the use of a proxy for all
# requests, except those in your local domain use something like:
#
# acl local-servers dstdomain .foo.net
# never_direct deny local-servers
# never_direct allow all
#
# or if Squid is inside a firewall and there are local intranet
# servers inside the firewall use something like:
#
# acl local-intranet dstdomain .foo.net
# acl local-external dstdomain external.foo.net
# always_direct deny local-external
# always_direct allow local-intranet
# never_direct allow all
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# Allow DNS results to be used for this request.
# ADVANCED NETWORKING OPTIONS
# —————————————————————————–
# TAG: incoming_udp_average
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# incoming_udp_average 6
# TAG: incoming_tcp_average
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# incoming_tcp_average 4
# TAG: incoming_dns_average
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# incoming_dns_average 4
# TAG: min_udp_poll_cnt
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# min_udp_poll_cnt 8
# TAG: min_dns_poll_cnt
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# min_dns_poll_cnt 8
# TAG: min_tcp_poll_cnt
# Heavy voodoo here. I can’t even believe you are reading this.
# Are you crazy? Don’t even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
# min_tcp_poll_cnt 8
# TAG: accept_filter
# FreeBSD:
#
# The name of an accept(2) filter to install on Squid’s
# listen socket(s). This feature is perhaps specific to
# FreeBSD and requires support in the kernel.
#
# The ‘httpready’ filter delays delivering new connections
# to Squid until a full HTTP request has been received.
# See the accf_http(9) man page for details.
#
# The ‘dataready’ filter delays delivering new connections
# to Squid until there is some data to process.
# See the accf_dataready(9) man page for details.
#
# Linux:
#
# The ‘data’ filter delays delivering of new connections
# to Squid until there is some data to process by TCP_ACCEPT_DEFER.
# You may optionally specify a number of seconds to wait by
# ‘data=N’ where N is the number of seconds. Defaults to 30
# if not specified. See the tcp(7) man page for details.
#EXAMPLE:
## FreeBSD
#accept_filter httpready
## Linux
#accept_filter data
#Default:
# none
# TAG: client_ip_max_connections
# Set an absolute limit on the number of connections a single
# client IP can use. Any more than this and Squid will begin to drop
# new connections from the client until it closes some links.
#
# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
# connections from the client. For finer control use the ACL access controls.
#
# Requires client_db to be enabled (the default).
#
# WARNING: This may noticably slow down traffic received via external proxies
# or NAT devices and cause them to rebound error messages back to their clients.
#Default:
# No limit.
# TAG: tcp_recv_bufsize (bytes)
# Size of receive buffer to set for TCP sockets. Probably just
# as easy to change your kernel’s default.
# Omit from squid.conf to use the default buffer size.
#Default:
# Use operating system TCP defaults.
# ICAP OPTIONS
# —————————————————————————–
# TAG: icap_enable on|off
# If you want to enable the ICAP module support, set this to on.
#Default:
# icap_enable off
# TAG: icap_connect_timeout
# This parameter specifies how long to wait for the TCP connect to
# the requested ICAP server to complete before giving up and either
# terminating the HTTP transaction or bypassing the failure.
#
# The default for optional services is peer_connect_timeout.
# The default for essential services is connect_timeout.
# If this option is explicitly set, its value applies to all services.
#Default:
# none
# TAG: icap_io_timeout time-units
# This parameter specifies how long to wait for an I/O activity on
# an established, active ICAP connection before giving up and
# either terminating the HTTP transaction or bypassing the
# failure.
#Default:
# Use read_timeout.
# TAG: icap_service_failure_limit limit [in memory-depth time-units]
# The limit specifies the number of failures that Squid tolerates
# when establishing a new TCP connection with an ICAP service. If
# the number of failures exceeds the limit, the ICAP service is
# not used for new ICAP requests until it is time to refresh its
# OPTIONS.
#
# A negative value disables the limit. Without the limit, an ICAP
# service will not be considered down due to connectivity failures
# between ICAP OPTIONS requests.
#
# Squid forgets ICAP service failures older than the specified
# value of memory-depth. The memory fading algorithm
# is approximate because Squid does not remember individual
# errors but groups them instead, splitting the option
# value into ten time slots of equal length.
#
# When memory-depth is 0 and by default this option has no
# effect on service failure expiration.
#
# Squid always forgets failures when updating service settings
# using an ICAP OPTIONS transaction, regardless of this option
# setting.
#
# For example,
# # suspend service usage after 10 failures in 5 seconds:
# icap_service_failure_limit 10 in 5 seconds
#Default:
# icap_service_failure_limit 10
# TAG: icap_service_revival_delay
# The delay specifies the number of seconds to wait after an ICAP
# OPTIONS request failure before requesting the options again. The
# failed ICAP service is considered „down” until fresh OPTIONS are
# fetched.
#
# The actual delay cannot be smaller than the hardcoded minimum
# delay of 30 seconds.
#Default:
# icap_service_revival_delay 180
# TAG: icap_preview_enable on|off
# The ICAP Preview feature allows the ICAP server to handle the
# HTTP message by looking only at the beginning of the message body
# or even without receiving the body at all. In some environments,
# previews greatly speedup ICAP processing.
#
# During an ICAP OPTIONS transaction, the server may tell Squid what
# HTTP messages should be previewed and how big the preview should be.
# Squid will not use Preview if the server did not request one.
#
# To disable ICAP Preview for all ICAP services, regardless of
# individual ICAP server OPTIONS responses, set this option to „off”.
#Example:
#icap_preview_enable off
#Default:
# icap_preview_enable on
# TAG: icap_preview_size
# The default size of preview data to be sent to the ICAP server.
# This value might be overwritten on a per server basis by OPTIONS requests.
#Default:
# No preview sent.
# TAG: icap_206_enable on|off
# 206 (Partial Content) responses is an ICAP extension that allows the
# ICAP agents to optionally combine adapted and original HTTP message
# content. The decision to combine is postponed until the end of the
# ICAP response. Squid supports Partial Content extension by default.
#
# Activation of the Partial Content extension is negotiated with each
# ICAP service during OPTIONS exchange. Most ICAP servers should handle
# negotation correctly even if they do not support the extension, but
# some might fail. To disable Partial Content support for all ICAP
# services and to avoid any negotiation, set this option to „off”.
#
# Example:
# icap_206_enable off
#Default:
# icap_206_enable on
# TAG: icap_default_options_ttl
# The default TTL value for ICAP OPTIONS responses that don’t have
# an Options-TTL header.
#Default:
# icap_default_options_ttl 60
# TAG: icap_persistent_connections on|off
# Whether or not Squid should use persistent connections to
# an ICAP server.
#Default:
# icap_persistent_connections on
# TAG: adaptation_send_client_ip on|off
# If enabled, Squid shares HTTP client IP information with adaptation
# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
# For eCAP, Squid sets the libecap::metaClientIp transaction option.
#
# See also: adaptation_uses_indirect_client
#Default:
# adaptation_send_client_ip off
# TAG: adaptation_send_username on|off
# This sends authenticated HTTP client username (if available) to
# the adaptation service.
#
# For ICAP, the username value is encoded based on the
# icap_client_username_encode option and is sent using the header
# specified by the icap_client_username_header option.
#Default:
# adaptation_send_username off
# TAG: icap_client_username_header
# ICAP request header name to use for adaptation_send_username.
#Default:
# icap_client_username_header X-Client-Username
# TAG: icap_client_username_encode on|off
# Whether to base64 encode the authenticated client username.
#Default:
# icap_client_username_encode off
# TAG: icap_service
# Defines a single ICAP service using the following format:
#
# icap_service id vectoring_point uri [option …]
#
# id: ID
# an opaque identifier or name which is used to direct traffic to
# this specific service. Must be unique among all adaptation
# services in squid.conf.
#
# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
# This specifies at which point of transaction processing the
# ICAP service should be activated. *_postcache vectoring points
# are not yet supported.
#
# uri: icap://servername:port/servicepath
# ICAP server and service location.
# icaps://servername:port/servicepath
# The „icap:” URI scheme is used for traditional ICAP server and
# service location (default port is 1344, connections are not
# encrypted). The „icaps:” URI scheme is for Secure ICAP
# services that use SSL/TLS-encrypted ICAP connections (by
# default, on port 11344).
#
# ICAP does not allow a single service to handle both REQMOD and RESPMOD
# transactions. Squid does not enforce that requirement. You can specify
# services with the same service_url and different vectoring_points. You
# can even specify multiple identical services as long as their
# service_names differ.
#
# To activate a service, use the adaptation_access directive. To group
# services, use adaptation_service_chain and adaptation_service_set.
#
# Service options are separated by white space. ICAP services support
# the following name=value options:
#
# bypass=on|off|1|0
# If set to ‘on’ or ‘1’, the ICAP service is treated as
# optional. If the service cannot be reached or malfunctions,
# Squid will try to ignore any errors and process the message as
# if the service was not enabled. No all ICAP errors can be
# bypassed. If set to 0, the ICAP service is treated as
# essential and all ICAP errors will result in an error page
# returned to the HTTP client.
#
# Bypass is off by default: services are treated as essential.
#
# routing=on|off|1|0
# If set to ‘on’ or ‘1’, the ICAP service is allowed to
# dynamically change the current message adaptation plan by
# returning a chain of services to be used next. The services
# are specified using the X-Next-Services ICAP response header
# value, formatted as a comma-separated list of service names.
# Each named service should be configured in squid.conf. Other
# services are ignored. An empty X-Next-Services value results
# in an empty plan which ends the current adaptation.
#
# Dynamic adaptation plan may cross or cover multiple supported
# vectoring points in their natural processing order.
#
# Routing is not allowed by default: the ICAP X-Next-Services
# response header is ignored.
#
# ipv6=on|off
# Only has effect on split-stack systems. The default on those systems
# is to use IPv4-only connections. When set to ‘on’ this option will
# make Squid use IPv6-only connections to contact this ICAP service.
#
# on-overload=block|bypass|wait|force
# If the service Max-Connections limit has been reached, do
# one of the following for each new ICAP transaction:
# * block: send an HTTP error response to the client
# * bypass: ignore the „over-connected” ICAP service
# * wait: wait (in a FIFO queue) for an ICAP connection slot
# * force: proceed, ignoring the Max-Connections limit
#
# In SMP mode with N workers, each worker assumes the service
# connection limit is Max-Connections/N, even though not all
# workers may use a given service.
#
# The default value is „bypass” if service is bypassable,
# otherwise it is set to „wait”.
#
#
# max-conn=number
# Use the given number as the Max-Connections limit, regardless
# of the Max-Connections value given by the service, if any.
#
# connection-encryption=on|off
# Determines the ICAP service effect on the connections_encrypted
# ACL.
#
# The default is „on” for Secure ICAP services (i.e., those
# with the icaps:// service URIs scheme) and „off” for plain ICAP
# services.
#
# Does not affect ICAP connections (e.g., does not turn Secure
# ICAP on or off).
#
# ==== ICAPS / TLS OPTIONS ====
#
# These options are used for Secure ICAP (icaps://….) services only.
#
# tls-cert=/path/to/ssl/certificate
# A client X.509 certificate to use when connecting to
# this ICAP server.
#
# tls-key=/path/to/ssl/key
# The private key corresponding to the previous
# tls-cert= option.
#
# If tls-key= is not specified tls-cert= is assumed to
# reference a PEM file containing both the certificate
# and private key.
#
# tls-cipher=… The list of valid TLS/SSL ciphers to use when connecting
# to this icap server.
#
# tls-min-version=1.N
# The minimum TLS protocol version to permit. To control
# SSLv3 use the tls-options= parameter.
# Supported Values: 1.0 (default), 1.1, 1.2
#
# tls-options=… Specify various OpenSSL library options:
#
# NO_SSLv3 Disallow the use of SSLv3
#
# SINGLE_DH_USE
# Always create a new key when using
# temporary/ephemeral DH key exchanges
#
# ALL Enable various bug workarounds
# suggested as „harmless” by OpenSSL
# Be warned that this reduces SSL/TLS
# strength to some attacks.
#
# See the OpenSSL SSL_CTX_set_options documentation for a
# more complete list. Options relevant only to SSLv2 are
# not supported.
#
# tls-cafile= PEM file containing CA certificates to use when verifying
# the icap server certificate.
# Use to specify intermediate CA certificate(s) if not sent
# by the server. Or the full CA chain for the server when
# using the tls-default-ca=off flag.
# May be repeated to load multiple files.
#
# tls-capath=… A directory containing additional CA certificates to
# use when verifying the icap server certificate.
# Requires OpenSSL or LibreSSL.
#
# tls-crlfile=… A certificate revocation list file to use when
# verifying the icap server certificate.
#
# tls-flags=… Specify various flags modifying the Squid TLS implementation:
#
# DONT_VERIFY_PEER
# Accept certificates even if they fail to
# verify.
# DONT_VERIFY_DOMAIN
# Don’t verify the icap server certificate
# matches the server name
#
# tls-default-ca[=off]
# Whether to use the system Trusted CAs. Default is ON.
#
# tls-domain= The icap server name as advertised in it’s certificate.
# Used for verifying the correctness of the received icap
# server certificate. If not specified the icap server
# hostname extracted from ICAP URI will be used.
#
# Older icap_service format without optional named parameters is
# deprecated but supported for backward compatibility.
#
#Example:
#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
#Default:
# none
# TAG: icap_class
# This deprecated option was documented to define an ICAP service
# chain, even though it actually defined a set of similar, redundant
# services, and the chains were not supported.
#
# To define a set of redundant services, please use the
# adaptation_service_set directive. For service chains, use
# adaptation_service_chain.
#Default:
# none
# TAG: icap_access
# This option is deprecated. Please use adaptation_access, which
# has the same ICAP functionality, but comes with better
# documentation, and eCAP support.
#Default:
# none
# eCAP OPTIONS
# —————————————————————————–
# TAG: ecap_enable on|off
# Controls whether eCAP support is enabled.
#Default:
# ecap_enable off
# TAG: ecap_service
# Defines a single eCAP service
#
# ecap_service id vectoring_point uri [option …]
#
# id: ID
# an opaque identifier or name which is used to direct traffic to
# this specific service. Must be unique among all adaptation
# services in squid.conf.
#
# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
# This specifies at which point of transaction processing the
# eCAP service should be activated. *_postcache vectoring points
# are not yet supported.
#
# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional
# Squid uses the eCAP service URI to match this configuration
# line with one of the dynamically loaded services. Each loaded
# eCAP service must have a unique URI. Obtain the right URI from
# the service provider.
#
# To activate a service, use the adaptation_access directive. To group
# services, use adaptation_service_chain and adaptation_service_set.
#
# Service options are separated by white space. eCAP services support
# the following name=value options:
#
# bypass=on|off|1|0
# If set to ‘on’ or ‘1’, the eCAP service is treated as optional.
# If the service cannot be reached or malfunctions, Squid will try
# to ignore any errors and process the message as if the service
# was not enabled. No all eCAP errors can be bypassed.
# If set to ‘off’ or ‘0’, the eCAP service is treated as essential
# and all eCAP errors will result in an error page returned to the
# HTTP client.
#
# Bypass is off by default: services are treated as essential.
#
# routing=on|off|1|0
# If set to ‘on’ or ‘1’, the eCAP service is allowed to
# dynamically change the current message adaptation plan by
# returning a chain of services to be used next.
#
# Dynamic adaptation plan may cross or cover multiple supported
# vectoring points in their natural processing order.
#
# Routing is not allowed by default.
#
# connection-encryption=on|off
# Determines the eCAP service effect on the connections_encrypted
# ACL.
#
# Defaults to „on”, which does not taint the master transaction
# w.r.t. that ACL.
#
# Does not affect eCAP API calls.
#
# Older ecap_service format without optional named parameters is
# deprecated but supported for backward compatibility.
#
#
#Example:
#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
#Default:
# none
# TAG: loadable_modules
# Instructs Squid to load the specified dynamic module(s) or activate
# preloaded module(s).
#Example:
#loadable_modules /usr/lib/MinimalAdapter.so
#Default:
# none
# MESSAGE ADAPTATION OPTIONS
# —————————————————————————–
# TAG: adaptation_service_set
#
# Configures an ordered set of similar, redundant services. This is
# useful when hot standby or backup adaptation servers are available.
#
# adaptation_service_set set_name service_name1 service_name2 …
#
# The named services are used in the set declaration order. The first
# applicable adaptation service from the set is used first. The next
# applicable service is tried if and only if the transaction with the
# previous service fails and the message waiting to be adapted is still
# intact.
#
# When adaptation starts, broken services are ignored as if they were
# not a part of the set. A broken service is a down optional service.
#
# The services in a set must be attached to the same vectoring point
# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
#
# If all services in a set are optional then adaptation failures are
# bypassable. If all services in the set are essential, then a
# transaction failure with one service may still be retried using
# another service from the set, but when all services fail, the master
# transaction fails as well.
#
# A set may contain a mix of optional and essential services, but that
# is likely to lead to surprising results because broken services become
# ignored (see above), making previously bypassable failures fatal.
# Technically, it is the bypassability of the last failed service that
# matters.
#
# See also: adaptation_access adaptation_service_chain
#
#Example:
#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
#adaptation service_set svcLogger loggerLocal loggerRemote
#Default:
# none
# TAG: adaptation_service_chain
#
# Configures a list of complementary services that will be applied
# one-by-one, forming an adaptation chain or pipeline. This is useful
# when Squid must perform different adaptations on the same message.
#
# adaptation_service_chain chain_name service_name1 svc_name2 …
#
# The named services are used in the chain declaration order. The first
# applicable adaptation service from the chain is used first. The next
# applicable service is applied to the successful adaptation results of
# the previous service in the chain.
#
# When adaptation starts, broken services are ignored as if they were
# not a part of the chain. A broken service is a down optional service.
#
# Request satisfaction terminates the adaptation chain because Squid
# does not currently allow declaration of RESPMOD services at the
# „reqmod_precache” vectoring point (see icap_service or ecap_service).
#
# The services in a chain must be attached to the same vectoring point
# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
#
# A chain may contain a mix of optional and essential services. If an
# essential adaptation fails (or the failure cannot be bypassed for
# other reasons), the master transaction fails. Otherwise, the failure
# is bypassed as if the failed adaptation service was not in the chain.
#
# See also: adaptation_access adaptation_service_set
#
#Example:
#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
#Default:
# none
# TAG: adaptation_access
# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
#
# adaptation_access service_name allow|deny [!]aclname…
# adaptation_access set_name allow|deny [!]aclname…
#
# At each supported vectoring point, the adaptation_access
# statements are processed in the order they appear in this
# configuration file. Statements pointing to the following services
# are ignored (i.e., skipped without checking their ACL):
#
# – services serving different vectoring points
# – „broken-but-bypassable” services
# – „up” services configured to ignore such transactions
# (e.g., based on the ICAP Transfer-Ignore header).
#
# When a set_name is used, all services in the set are checked
# using the same rules, to find the first applicable one. See
# adaptation_service_set for details.
#
# If an access list is checked and there is a match, the
# processing stops: For an „allow” rule, the corresponding
# adaptation service is used for the transaction. For a „deny”
# rule, no adaptation service is activated.
#
# It is currently not possible to apply more than one adaptation
# service at the same vectoring point to the same HTTP transaction.
#
# See also: icap_service and ecap_service
#
#Example:
#adaptation_access service_1 allow all
#Default:
# Allow, unless rules exist in squid.conf.
# TAG: adaptation_service_iteration_limit
# Limits the number of iterations allowed when applying adaptation
# services to a message. If your longest adaptation set or chain
# may have more than 16 services, increase the limit beyond its
# default value of 16. If detecting infinite iteration loops sooner
# is critical, make the iteration limit match the actual number
# of services in your longest adaptation set or chain.
#
# Infinite adaptation loops are most likely with routing services.
#
# See also: icap_service routing=1
#Default:
# adaptation_service_iteration_limit 16
# TAG: adaptation_masterx_shared_names
# For each master transaction (i.e., the HTTP request and response
# sequence, including all related ICAP and eCAP exchanges), Squid
# maintains a table of metadata. The table entries are (name, value)
# pairs shared among eCAP and ICAP exchanges. The table is destroyed
# with the master transaction.
#
# This option specifies the table entry names that Squid must accept
# from and forward to the adaptation transactions.
#
# An ICAP REQMOD or RESPMOD transaction may set an entry in the
# shared table by returning an ICAP header field with a name
# specified in adaptation_masterx_shared_names.
#
# An eCAP REQMOD or RESPMOD transaction may set an entry in the
# shared table by implementing the libecap::visitEachOption() API
# to provide an option with a name specified in
# adaptation_masterx_shared_names.
#
# Squid will store and forward the set entry to subsequent adaptation
# transactions within the same master transaction scope.
#
# Only one shared entry name is supported at this time.
#
#Example:
## share authentication information among ICAP services
#adaptation_masterx_shared_names X-Subscriber-ID
#Default:
# none
# TAG: adaptation_meta
# This option allows Squid administrator to add custom ICAP request
# headers or eCAP options to Squid ICAP requests or eCAP transactions.
# Use it to pass custom authentication tokens and other
# transaction-state related meta information to an ICAP/eCAP service.
#
# The addition of a meta header is ACL-driven:
# adaptation_meta name value [!]aclname …
#
# Processing for a given header name stops after the first ACL list match.
# Thus, it is impossible to add two headers with the same name. If no ACL
# lists match for a given header name, no such header is added. For
# example:
#
# # do not debug transactions except for those that need debugging
# adaptation_meta X-Debug 1 needs_debugging
#
# # log all transactions except for those that must remain secret
# adaptation_meta X-Log 1 !keep_secret
#
# # mark transactions from users in the „G 1” group
# adaptation_meta X-Authenticated-Groups „G 1” authed_as_G1
#
# The „value” parameter may be a regular squid.conf token or a „double
# quoted string”. Within the quoted string, use backslash (\) to escape
# any character, which is currently only useful for escaping backslashes
# and double quotes. For example,
# „this string has one backslash (\\) and two \”quotes\””
#
# Used adaptation_meta header values may be logged via %note
# logformat code. If multiple adaptation_meta headers with the same name
# are used during master transaction lifetime, the header values are
# logged in the order they were used and duplicate values are ignored
# (only the first repeated value will be logged).
#Default:
# none
# TAG: icap_retry
# This ACL determines which retriable ICAP transactions are
# retried. Transactions that received a complete ICAP response
# and did not have to consume or produce HTTP bodies to receive
# that response are usually retriable.
#
# icap_retry allow|deny [!]aclname …
#
# Squid automatically retries some ICAP I/O timeouts and errors
# due to persistent connection race conditions.
#
# See also: icap_retry_limit
#Default:
# icap_retry deny all
# TAG: icap_retry_limit
# Limits the number of retries allowed.
#
# Communication errors due to persistent connection race
# conditions are unavoidable, automatically retried, and do not
# count against this limit.
#
# See also: icap_retry
#Default:
# No retries are allowed.
# DNS OPTIONS
# —————————————————————————–
# TAG: check_hostnames
# For security and stability reasons Squid can check
# hostnames for Internet standard RFC compliance. If you want
# Squid to perform these checks turn this directive on.
#Default:
# check_hostnames off
# TAG: allow_underscore
# Underscore characters is not strictly allowed in Internet hostnames
# but nevertheless used by many sites. Set this to off if you want
# Squid to be strict about the standard.
# This check is performed only when check_hostnames is set to on.
#Default:
# allow_underscore on
# TAG: dns_retransmit_interval
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
#Default:
# dns_retransmit_interval 5 seconds
# TAG: dns_timeout
# DNS Query timeout. If no response is received to a DNS query
# within this time all DNS servers for the queried domain
# are assumed to be unavailable.
#Default:
# dns_timeout 30 seconds
# TAG: dns_packet_max
# Maximum number of bytes packet size to advertise via EDNS.
# Set to „none” to disable EDNS large packet support.
#
# For legacy reasons DNS UDP replies will default to 512 bytes which
# is too small for many responses. EDNS provides a means for Squid to
# negotiate receiving larger responses back immediately without having
# to failover with repeat requests. Responses larger than this limit
# will retain the old behaviour of failover to TCP DNS.
#
# Squid has no real fixed limit internally, but allowing packet sizes
# over 1500 bytes requires network jumbogram support and is usually not
# necessary.
#
# WARNING: The RFC also indicates that some older resolvers will reply
# with failure of the whole request if the extension is added. Some
# resolvers have already been identified which will reply with mangled
# EDNS response on occasion. Usually in response to many-KB jumbogram
# sizes being advertised by Squid.
# Squid will currently treat these both as an unable-to-resolve domain
# even if it would be resolvable without EDNS.
#Default:
# EDNS disabled
# TAG: dns_defnames on|off
# Normally the RES_DEFNAMES resolver option is disabled
# (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# Squid to handle single-component names, enable this option.
#Default:
# Search for single-label domain names is disabled.
# TAG: dns_multicast_local on|off
# When set to on, Squid sends multicast DNS lookups on the local
# network for domains ending in .local and .arpa.
# This enables local servers and devices to be contacted in an
# ad-hoc or zero-configuration network environment.
#Default:
# Search for .local and .arpa names is disabled.
# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
#
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#Default:
# Use operating system definitions
# TAG: hosts_file
# Location of the host-local IP name-address associations
# database. Most Operating Systems have such a file on different
# default locations:
# – Un*X & Linux: /etc/hosts
# – Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
# (%SystemRoot% value install default is c:\winnt)
# – Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
# (%SystemRoot% value install default is c:\windows)
# – Windows 9x/Me: %windir%\hosts
# (%windir% value is usually c:\windows)
# – Cygwin: /etc/hosts
#
# The file contains newline-separated definitions, in the
# form ip_address_in_dotted_form name [name …] names are
# whitespace-separated. Lines beginning with an hash (#)
# character are comments.
#
# The file is checked at startup and upon configuration.
# If set to ‘none’, it won’t be checked.
# If append_domain is used, that domain will be added to
# domain-local (i.e. not containing any dot character) host
# definitions.
#Default:
# hosts_file /etc/hosts
# TAG: append_domain
# Appends local domain name to hostnames without any dots in
# them. append_domain must begin with a period.
#
# Be warned there are now Internet names with no dots in
# them using only top-domain names, so setting this may
# cause some Internet sites to become unavailable.
#
#Example:
# append_domain .yourdomain.com
#Default:
# Use operating system definitions
# TAG: ignore_unknown_nameservers
# By default Squid checks that DNS responses are received
# from the same IP addresses they are sent to. If they
# don’t match, Squid ignores the response and writes a warning
# message to cache.log. You can allow responses from unknown
# nameservers by setting this option to ‘off’.
#Default:
# ignore_unknown_nameservers on
# TAG: ipcache_size (number of entries)
# Maximum number of DNS IP cache entries.
#Default:
# ipcache_size 1024
# TAG: ipcache_low (percent)
#Default:
# ipcache_low 90
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#Default:
# ipcache_high 95
# TAG: fqdncache_size (number of entries)
# Maximum number of FQDN cache entries.
#Default:
# fqdncache_size 1024
# MISCELLANEOUS
# —————————————————————————–
# TAG: configuration_includes_quoted_values on|off
# If set, Squid will recognize each „quoted string” after a configuration
# directive as a single parameter. The quotes are stripped before the
# parameter value is interpreted or used.
# See „Values with spaces, quotes, and other special characters”
# section for more details.
#Default:
# configuration_includes_quoted_values off
# TAG: memory_pools on|off
# If set, Squid will keep pools of allocated (but unused) memory
# available for future use. If memory is a premium on your
# system and you believe your malloc library outperforms Squid
# routines, disable this.
#Default:
# memory_pools on
# TAG: memory_pools_limit (bytes)
# Used only with memory_pools on:
# memory_pools_limit 50 MB
#
# If set to a non-zero value, Squid will keep at most the specified
# limit of allocated (but unused) memory in memory pools. All free()
# requests that exceed this limit will be handled by your malloc
# library. Squid does not pre-allocate any memory, just safe-keeps
# objects that otherwise would be free()d. Thus, it is safe to set
# memory_pools_limit to a reasonably high value even if your
# configuration will use less memory.
#
# If set to none, Squid will keep all memory it can. That is, there
# will be no limit on the total amount of memory used for safe-keeping.
#
# To disable memory allocation optimization, do not set
# memory_pools_limit to 0 or none. Set memory_pools to „off” instead.
#
# An overhead for maintaining memory pools is not taken into account
# when the limit is checked. This overhead is close to four bytes per
# object kept. However, pools may actually _save_ memory because of
# reduced memory thrashing in your malloc library.
#Default:
# memory_pools_limit 5 MB
# TAG: forwarded_for on|off|transparent|truncate|delete
# If set to „on”, Squid will append your client’s IP address
# in the HTTP requests it forwards. By default it looks like:
#
# X-Forwarded-For: 192.1.2.3
#
# If set to „off”, it will appear as
#
# X-Forwarded-For: unknown
#
# If set to „transparent”, Squid will not alter the
# X-Forwarded-For header in any way.
#
# If set to „delete”, Squid will delete the entire
# X-Forwarded-For header.
#
# If set to „truncate”, Squid will remove all existing
# X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on
# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.
#
# Usage: cachemgr_passwd password action action …
#
# Some valid actions are (see cache manager menu for a full list):
# 5min
# 60min
# asndb
# authenticator
# cbdata
# client_list
# comm_incoming
# config *
# counters
# delay
# digest_stats
# dns
# events
# filedescriptors
# fqdncache
# histograms
# http_headers
# info
# io
# ipcache
# mem
# menu
# netdb
# non_peers
# objects
# offline_toggle *
# pconn
# peer_select
# reconfigure *
# redirector
# refresh
# server_list
# shutdown *
# store_digest
# storedir
# utilization
# via_headers
# vm_objects
#
# * Indicates actions which will not be performed without a
# valid password, others can be performed if not listed here.
#
# To disable an action, set the password to „disable”.
# To allow performing an action without a password, set the
# password to „none”.
#
# Use the keyword „all” to set the same password for all actions.
#
#Example:
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
#Default:
# No password. Actions which require password are denied.
# TAG: client_db on|off
# If you want to disable collecting per-client statistics,
# turn off client_db here.
#Default:
# client_db on
# TAG: refresh_all_ims on|off
# When you enable this option, squid will always check
# the origin server for an update when a client sends an
# If-Modified-Since request. Many browsers use IMS
# requests when the user requests a reload, and this
# ensures those clients receive the latest version.
#
# By default (off), squid may return a Not Modified response
# based on the age of the cached version.
#Default:
# refresh_all_ims off
# TAG: reload_into_ims on|off
# When you enable this option, client no-cache or „reload”
# requests will be changed to If-Modified-Since requests.
# Doing this VIOLATES the HTTP standard. Enabling this
# feature could make you liable for problems which it
# causes.
#
# see also refresh_pattern for a more selective approach.
#Default:
# reload_into_ims off
# TAG: connect_retries
# Limits the number of reopening attempts when establishing a single
# TCP connection. All these attempts must still complete before the
# applicable connection opening timeout expires.
#
# By default and when connect_retries is set to zero, Squid does not
# retry failed connection opening attempts.
#
# The (not recommended) maximum is 10 tries. An attempt to configure a
# higher value results in the value of 10 being used (with a warning).
#
# Squid may open connections to retry various high-level forwarding
# failures. For an outside observer, that activity may look like a
# low-level connection reopening attempt, but those high-level retries
# are governed by forward_max_tries instead.
#
# See also: connect_timeout, forward_timeout, icap_connect_timeout,
# ident_timeout, and forward_max_tries.
#Default:
# Do not retry failed connections.
# TAG: retry_on_error
# If set to ON Squid will automatically retry requests when
# receiving an error response with status 403 (Forbidden),
# 500 (Internal Error), 501 or 503 (Service not available).
# Status 502 and 504 (Gateway errors) are always retried.
#
# This is mainly useful if you are in a complex cache hierarchy to
# work around access control errors.
#
# NOTE: This retry will attempt to find another working destination.
# Which is different from the server which just failed.
#Default:
# retry_on_error off
# TAG: as_whois_server
# WHOIS server to query for AS numbers. NOTE: AS numbers are
# queried only when Squid starts up, not for every request.
#Default:
# as_whois_server whois.ra.net
# TAG: offline_mode
# Enable this option and Squid will never try to validate cached
# objects.
#Default:
# offline_mode off
# TAG: uri_whitespace
# What to do with requests that have whitespace characters in the
# URI. Options:
#
# strip: The whitespace characters are stripped out of the URL.
# This is the behavior recommended by RFC2396 and RFC3986
# for tolerant handling of generic URI.
# NOTE: This is one difference between generic URI and HTTP URLs.
#
# deny: The request is denied. The user receives an „Invalid
# Request” message.
# This is the behaviour recommended by RFC2616 for safe
# handling of HTTP request URL.
#
# allow: The request is allowed and the URI is not changed. The
# whitespace characters remain in the URI. Note the
# whitespace is passed to redirector processes if they
# are in use.
# Note this may be considered a violation of RFC2616
# request parsing where whitespace is prohibited in the
# URL field.
#
# encode: The request is allowed and the whitespace characters are
# encoded according to RFC1738.
#
# chop: The request is allowed and the URI is chopped at the
# first whitespace.
#
#
# NOTE the current Squid implementation of encode and chop violates
# RFC2616 by not using a 301 redirect after altering the URL.
#Default:
# uri_whitespace strip
# TAG: chroot
# Specifies a directory where Squid should do a chroot() while
# initializing. This also causes Squid to fully drop root
# privileges after initializing. This means, for example, if you
# use a HTTP port less than 1024 and try to reconfigure, you may
# get an error saying that Squid can not open the port.
#Default:
# none
# TAG: pipeline_prefetch
# HTTP clients may send a pipeline of 1+N requests to Squid using a
# single connection, without waiting for Squid to respond to the first
# of those requests. This option limits the number of concurrent
# requests Squid will try to handle in parallel. If set to N, Squid
# will try to receive and process up to 1+N requests on the same
# connection concurrently.
#
# Defaults to 0 (off) for bandwidth management and access logging
# reasons.
#
# NOTE: pipelining requires persistent connections to clients.
#
# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
#Default:
# Do not pre-parse pipelined requests.
# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
# Squid prints a WARNING with debug level 0 to get the
# administrators attention. The value is in milliseconds.
#Default:
# disabled.
# TAG: high_page_fault_warning
# If the one-minute average page fault rate exceeds this
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention. The value is in page faults
# per second.
#Default:
# disabled.
# TAG: high_memory_warning
# Note: This option is only available if Squid is rebuilt with the
# GNU Malloc with mstats()
#
# If the memory usage (as determined by gnumalloc, if available and used)
# exceeds this amount, Squid prints a WARNING with debug level 0 to get
# the administrators attention.
#Default:
# disabled.
# TAG: sleep_after_fork (microseconds)
# When this is set to a non-zero value, the main Squid process
# sleeps the specified number of microseconds after a fork()
# system call. This sleep may help the situation where your
# system reports fork() failures due to lack of (virtual)
# memory. Note, however, if you have a lot of child
# processes, these sleep delays will add up and your
# Squid will not service requests for some amount of time
# until all the child processes have been started.
# On Windows value less then 1000 (1 milliseconds) are
# rounded to 1000.
#Default:
# sleep_after_fork 0
# TAG: windows_ipaddrchangemonitor on|off
# Note: This option is only available if Squid is rebuilt with the
# MS Windows
#
# On Windows Squid by default will monitor IP address changes and will
# reconfigure itself after any detected event. This is very useful for
# proxies connected to internet with dial-up interfaces.
# In some cases (a Proxy server acting as VPN gateway is one) it could be
# desiderable to disable this behaviour setting this to ‘off’.
# Note: after changing this, Squid service must be restarted.
#Default:
# windows_ipaddrchangemonitor on
# TAG: eui_lookup
# Whether to lookup the EUI or MAC address of a connected client.
#Default:
# eui_lookup on
# TAG: max_filedescriptors
# Set the maximum number of filedescriptors, either below the
# operating system default or up to the hard limit.
#
# Remove from squid.conf to inherit the current ulimit soft
# limit setting.
#
# Note: Changing this requires a restart of Squid. Also
# not all I/O types supports large values (eg on Windows).
#Default:
# Use operating system soft limit set by ulimit.
# TAG: force_request_body_continuation
# This option controls how Squid handles data upload requests from HTTP
# and FTP agents that require a „Please Continue” control message response
# to actually send the request body to Squid. It is mostly useful in
# adaptation environments.
#
# When Squid receives an HTTP request with an „Expect: 100-continue”
# header or an FTP upload command (e.g., STOR), Squid normally sends the
# request headers or FTP command information to an adaptation service (or
# peer) and waits for a response. Most adaptation services (and some
# broken peers) may not respond to Squid at that stage because they may
# decide to wait for the HTTP request body or FTP data transfer. However,
# that request body or data transfer may never come because Squid has not
# responded with the HTTP 100 or FTP 150 (Please Continue) control message
# to the request sender yet!
#
# An allow match tells Squid to respond with the HTTP 100 or FTP 150
# (Please Continue) control message on its own, before forwarding the
# request to an adaptation service or peer. Such a response usually forces
# the request sender to proceed with sending the body. A deny match tells
# Squid to delay that control response until the origin server confirms
# that the request body is needed. Delaying is the default behavior.
#Default:
# Deny, unless rules exist in squid.conf.
# TAG: http_upgrade_request_protocols
# Controls client-initiated and server-confirmed switching from HTTP to
# another protocol (or to several protocols) using HTTP Upgrade mechanism
# defined in RFC 7230 Section 6.7. Squid itself does not understand the
# protocols being upgraded to and participates in the upgraded
# communication only as a dumb TCP proxy. Admins should not allow
# upgrading to protocols that require a more meaningful proxy
# participation.
#
# Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl …
#
# The required „protocol” parameter is either an all-caps word OTHER or an
# explicit protocol name (e.g. „WebSocket”) optionally followed by a slash
# and a version token (e.g. „HTTP/3”). Explicit protocol names and
# versions are case sensitive.
#
# When an HTTP client sends an Upgrade request header, Squid iterates over
# the client-offered protocols and, for each protocol P (with an optional
# version V), evaluates the first non-empty set of
# http_upgrade_request_protocols rules (if any) from the following list:
#
# * All rules with an explicit protocol name equal to P.
# * All rules that use OTHER instead of a protocol name.
#
# In other words, rules using OTHER are considered for protocol P if and
# only if there are no rules mentioning P by name.
#
# If both of the above sets are empty, then Squid removes protocol P from
# the Upgrade offer.
#
# If the client sent a versioned protocol offer P/X, then explicit rules
# referring to the same-name but different-version protocol P/Y are
# declared inapplicable. Inapplicable rules are not evaluated (i.e. are
# ignored). However, inapplicable rules still belong to the first set of
# rules for P.
#
# Within the applicable rule subset, individual rules are evaluated in
# their configuration order. If all ACLs of an applicable „allow” rule
# match, then the protocol offered by the client is forwarded to the next
# hop as is. If all ACLs of an applicable „deny” rule match, then the
# offer is dropped. If no applicable rules have matching ACLs, then the
# offer is also dropped. The first matching rule also ends rules
# evaluation for the offered protocol.
#
# If all client-offered protocols are removed, then Squid forwards the
# client request without the Upgrade header. Squid never sends an empty
# Upgrade request header.
#
# An Upgrade request header with a value violating HTTP syntax is dropped
# and ignored without an attempt to use extractable individual protocol
# offers.
#
# Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
# checks that the server listed at least one protocol name and sent a
# Connection:upgrade response header. Squid does not understand individual
# protocol naming and versioning concepts enough to implement stricter
# checks, but an admin can restrict HTTP 101 (Switching Protocols)
# responses further using http_reply_access. Responses denied by
# http_reply_access rules and responses flagged by the internal Upgrade
# checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
# Squid-to-server connection closures.
#
# If Squid sends an Upgrade request header, and the next hop (e.g., the
# origin server) responds with an acceptable HTTP 101 (Switching
# Protocols), then Squid forwards that message to the client and becomes
# a TCP tunnel.
#
# The presence of an Upgrade request header alone does not preclude cache
# lookups. In other words, an Upgrade request might be satisfied from the
# cache, using regular HTTP caching rules.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
# Each of the following groups of configuration lines represents a
# separate configuration example:
#
# # never upgrade to protocol Foo; all others are OK
# http_upgrade_request_protocols Foo deny all
# http_upgrade_request_protocols OTHER allow all
#
# # only allow upgrades to protocol Bar (except for its first version)
# http_upgrade_request_protocols Bar/1 deny all
# http_upgrade_request_protocols Bar allow all
# http_upgrade_request_protocols OTHER deny all # this rule is optional
#
# # only allow upgrades to protocol Baz, and only if Baz is the only offer
# acl UpgradeHeaderHasMultipleOffers …
# http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
# http_upgrade_request_protocols Baz allow all
#Default:
# Upgrade header dropped, effectively blocking an upgrade attempt.
# TAG: server_pconn_for_nonretriable
# This option provides fine-grained control over persistent connection
# reuse when forwarding HTTP requests that Squid cannot retry. It is useful
# in environments where opening new connections is very expensive
# (e.g., all connections are secured with TLS with complex client and server
# certificate validation) and race conditions associated with persistent
# connections are very rare and/or only cause minor problems.
#
# HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
# Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
# By default, when forwarding such „risky” requests, Squid opens a new
# connection to the server or cache_peer, even if there is an idle persistent
# connection available. When Squid is configured to risk sending a non-retriable
# request on a previously used persistent connection, and the server closes
# the connection before seeing that risky request, the user gets an error response
# from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
# with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
#
# If an allow rule matches, Squid reuses an available idle persistent connection
# (if any) for the request that Squid cannot retry. If a deny rule matches, then
# Squid opens a new connection for the request that Squid cannot retry.
#
# This option does not affect requests that Squid can retry. They will reuse idle
# persistent connections (if any).
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
# Example:
# acl SpeedIsWorthTheRisk method POST
# server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
#Default:
# Open new connections for forwarding requests Squid cannot retry safely.
# TAG: happy_eyeballs_connect_timeout (msec)
# This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
# delay between opening a primary to-server connection and opening a
# spare to-server connection for the same master transaction. This delay
# is similar to the Connection Attempt Delay in RFC 8305, but it is only
# applied to the first spare connection attempt. Subsequent spare
# connection attempts use happy_eyeballs_connect_gap, and primary
# connection attempts are not artificially delayed at all.
#
# Terminology: The „primary” and „spare” designations are determined by
# the order of DNS answers received by Squid: If Squid DNS AAAA query
# was answered first, then primary connections are connections to IPv6
# peer addresses (while spare connections use IPv4 addresses).
# Similarly, if Squid DNS A query was answered first, then primary
# connections are connections to IPv4 peer addresses (while spare
# connections use IPv6 addresses).
#
# Shorter happy_eyeballs_connect_timeout values reduce master
# transaction response time, potentially improving user-perceived
# response times (i.e., making user eyeballs happier). Longer delays
# reduce both concurrent connection level and server bombardment with
# connection requests, potentially improving overall Squid performance
# and reducing the chance of being blocked by servers for opening too
# many unused connections.
#
# RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
# 10 (milliseconds) to „avoid congestion collapse in the presence of
# high packet-loss rates”.
#
# The following Happy Eyeballs directives place additional connection
# opening restrictions: happy_eyeballs_connect_gap and
# happy_eyeballs_connect_limit.
#Default:
# happy_eyeballs_connect_timeout 250
# TAG: happy_eyeballs_connect_gap (msec)
# This Happy Eyeballs (RFC 8305) tuning directive specifies the
# minimum delay between opening spare to-server connections (to any
# server; i.e. across all concurrent master transactions in a Squid
# instance). Each SMP worker currently multiplies the configured gap
# by the total number of workers so that the combined spare connection
# opening rate of a Squid instance obeys the configured limit. The
# workers do not coordinate connection openings yet; a micro burst
# of spare connection openings may violate the configured gap.
#
# This directive has similar trade-offs as
# happy_eyeballs_connect_timeout, but its focus is on limiting traffic
# amplification effects for Squid as a whole, while
# happy_eyeballs_connect_timeout works on an individual master
# transaction level.
#
# The following Happy Eyeballs directives place additional connection
# opening restrictions: happy_eyeballs_connect_timeout and
# happy_eyeballs_connect_limit. See the former for related terminology.
#Default:
# no artificial delays between spare attempts
# TAG: happy_eyeballs_connect_limit
# This Happy Eyeballs (RFC 8305) tuning directive specifies the
# maximum number of spare to-server connections (to any server; i.e.
# across all concurrent master transactions in a Squid instance).
# Each SMP worker gets an equal share of the total limit. However,
# the workers do not share the actual connection counts yet, so one
# (busier) worker cannot „borrow” spare connection slots from another
# (less loaded) worker.
#
# Setting this limit to zero disables concurrent use of primary and
# spare TCP connections: Spare connection attempts are made only after
# all primary attempts fail. However, Squid would still use the
# DNS-related optimizations of the Happy Eyeballs approach.
#
# This directive has similar trade-offs as happy_eyeballs_connect_gap,
# but its focus is on limiting Squid overheads, while
# happy_eyeballs_connect_gap focuses on the origin server and peer
# overheads.
#
# The following Happy Eyeballs directives place additional connection
# opening restrictions: happy_eyeballs_connect_timeout and
# happy_eyeballs_connect_gap. See the former for related terminology.
#Default:
# no artificial limit on the number of concurrent spare attempts
cache_effective_group proxy
Vélemény, hozzászólás?