summaryrefslogtreecommitdiff
path: root/network/squid/squid.conf.documented
diff options
context:
space:
mode:
Diffstat (limited to 'network/squid/squid.conf.documented')
-rw-r--r--network/squid/squid.conf.documented3761
1 files changed, 2832 insertions, 929 deletions
diff --git a/network/squid/squid.conf.documented b/network/squid/squid.conf.documented
index 3efcd48cda..bd70bbfa5f 100644
--- a/network/squid/squid.conf.documented
+++ b/network/squid/squid.conf.documented
@@ -1,4 +1,4 @@
-# WELCOME TO SQUID 3.1.20
+# WELCOME TO SQUID 3.4.10
# ----------------------------
#
# This is the documentation for the Squid configuration file.
@@ -32,6 +32,140 @@
# This arbitrary restriction is to prevent recursive include references
# from causing Squid entering an infinite loop whilst trying to load
# configuration files.
+#
+# Values with byte units
+#
+# Squid accepts size units on some size related directives. All
+# such directives are documented with a default value displaying
+# a unit.
+#
+# Units accepted by Squid are:
+# bytes - byte
+# KB - Kilobyte (1024 bytes)
+# MB - Megabyte
+# GB - Gigabyte
+#
+# Values with spaces, quotes, and other special characters
+#
+# Squid supports directive parameters with spaces, quotes, and other
+# special characters. Surround such parameters with "double quotes". Use
+# the configuration_includes_quoted_values directive to enable or
+# disable that support.
+#
+# For example;
+#
+# configuration_includes_quoted_values on
+# acl group external groupCheck Administrators "Internet Users" Guest
+# configuration_includes_quoted_values off
+#
+#
+# Conditional configuration
+#
+# If-statements can be used to make configuration directives
+# depend on conditions:
+#
+# if <CONDITION>
+# ... regular configuration directives ...
+# [else
+# ... regular configuration directives ...]
+# endif
+#
+# The else part is optional. The keywords "if", "else", and "endif"
+# must be typed on their own lines, as if they were regular
+# configuration directives.
+#
+# NOTE: An else-if condition is not supported.
+#
+# These individual conditions types are supported:
+#
+# true
+# Always evaluates to true.
+# false
+# Always evaluates to false.
+# <integer> = <integer>
+# Equality comparison of two integer numbers.
+#
+#
+# SMP-Related Macros
+#
+# The following SMP-related preprocessor macros can be used.
+#
+# ${process_name} expands to the current Squid process "name"
+# (e.g., squid1, squid2, or cache1).
+#
+# ${process_number} expands to the current Squid process
+# identifier, which is an integer number (e.g., 1, 2, 3) unique
+# across all Squid processes.
+
+# TAG: broken_vary_encoding
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: cache_vary
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: collapsed_forwarding
+# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
+#Default:
+# none
+
+# TAG: error_map
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: external_refresh_check
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: location_rewrite_program
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: refresh_stale_hit
+# This option is not yet supported by Squid-3.
+#Default:
+# none
+
+# TAG: ignore_ims_on_miss
+# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
+#Default:
+# none
+
+# TAG: ignore_expect_100
+# Remove this line. The HTTP/1.1 feature is now fully supported by default.
+#Default:
+# none
+
+# TAG: dns_v4_fallback
+# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
+#Default:
+# none
+
+# TAG: ftp_list_width
+# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
+#Default:
+# none
+
+# TAG: maximum_single_addr_tries
+# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
+#Default:
+# none
+
+# TAG: update_headers
+# Remove this line. The feature is supported by default in storage types where update is implemented.
+#Default:
+# none
+
+# TAG: url_rewrite_concurrency
+# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
+#Default:
+# none
# TAG: dns_testnames
# Remove this line. DNS is no longer tested on startup.
@@ -43,6 +177,10 @@
#Default:
# none
+# TAG: zero_buffers
+#Default:
+# none
+
# TAG: incoming_rate
#Default:
# none
@@ -73,6 +211,16 @@
#Default:
# none
+# TAG: wais_relay_host
+# Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
+# TAG: wais_relay_port
+# Replace this line with 'cache_peer' configuration.
+#Default:
+# none
+
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
@@ -118,9 +266,22 @@
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
-# reads a line containing "username password" and replies "OK" or
-# "ERR" in an endless loop. "ERR" responses may optionally be followed
-# by a error description available as %m in the returned error page.
+# reads a line containing "username password" and replies with one of
+# three results:
+#
+# OK
+# the user exists.
+#
+# ERR
+# the user does not exist.
+#
+# BH
+# An internal error occurred in the helper, preventing
+# a result being identified.
+#
+# "ERR" and "BH" results may optionally be followed by message="..."
+# containing a description available as %m in the returned error page.
+#
# If you use an authenticator, make sure you have 1 acl of type
# proxy_auth.
#
@@ -130,31 +291,36 @@
# If you want to use the traditional NCSA proxy authentication, set
# this line to something like
#
-# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
+# auth_param basic program /usr/libexec/basic_ncsa_auth /usr/etc/passwd
#
# "utf8" on|off
-# HTTP uses iso-latin-1 as characterset, while some authentication
+# HTTP uses iso-latin-1 as character set, while some authentication
# backends such as LDAP expects UTF-8. If this is set to on Squid will
# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
# username & password to the helper.
#
-# "children" numberofchildren
-# The number of authenticator processes to spawn. If you start too few
+# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+# The maximum number of authenticator processes to spawn. If you start too few
# Squid will have to wait for them to process a backlog of credential
# verifications, slowing it down. When password verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
-# auth_param basic children 5
-#
-# "concurrency" concurrency
-# The number of concurrent requests the helper can process.
-# The default of 0 is used for helpers who only supports
-# one request at a time. Setting this changes the protocol used to
-# include a channel number first on the request/response line, allowing
-# multiple requests to be sent to the same helper in parallell without
-# wating for the response.
+#
+# The startup= and idle= options permit some skew in the exact amount
+# run. A minimum of startup=N will begin during startup and reconfigure.
+# Squid will start more in groups of up to idle=N in an attempt to meet
+# traffic needs and to keep idle=N free above those traffic needs up to
+# the maximum.
+#
+# The concurrency= option sets the number of concurrent requests the
+# helper can process. The default of 0 is used for helpers who only
+# supports one request at a time. Setting this to a number greater than
+# 0 changes the protocol used to include a channel number first on the
+# request/response line, allowing multiple requests to be sent to the
+# same helper in parallel without waiting for the response.
# Must not be set unless it's known the helper supports this.
-# auth_param basic concurrency 0
+#
+# auth_param basic children 20 startup=0 idle=1
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
@@ -186,11 +352,22 @@
# "program" cmdline
# Specify the command for the external authenticator. Such
# a program reads a line containing "username":"realm" and
-# replies with the appropriate H(A1) value hex encoded or
-# ERR if the user (or his H(A1) hash) does not exists.
-# See rfc 2616 for the definition of H(A1).
-# "ERR" responses may optionally be followed by a error description
-# available as %m in the returned error page.
+# replies with one of three results:
+#
+# OK ha1="..."
+# the user exists. The ha1= key is mandatory and
+# contains the appropriate H(A1) value, hex encoded.
+# See rfc 2616 for the definition of H(A1).
+#
+# ERR
+# the user does not exist.
+#
+# BH
+# An internal error occurred in the helper, preventing
+# a result being identified.
+#
+# "ERR" and "BH" results may optionally be followed by message="..."
+# containing a description available as %m in the returned error page.
#
# By default, the digest authentication scheme is not used unless a
# program is specified.
@@ -201,18 +378,33 @@
# auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass
#
# "utf8" on|off
-# HTTP uses iso-latin-1 as characterset, while some authentication
+# HTTP uses iso-latin-1 as character set, while some authentication
# backends such as LDAP expects UTF-8. If this is set to on Squid will
# translate the HTTP iso-latin-1 charset to UTF-8 before sending the
# username & password to the helper.
#
-# "children" numberofchildren
-# The number of authenticator processes to spawn (no default).
+# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
+# The maximum number of authenticator processes to spawn (default 5).
# If you start too few Squid will have to wait for them to
# process a backlog of H(A1) calculations, slowing it down.
# When the H(A1) calculations are done via a (slow) network
# you are likely to need lots of authenticator processes.
-# auth_param digest children 5
+#
+# The startup= and idle= options permit some skew in the exact amount
+# run. A minimum of startup=N will begin during startup and reconfigure.
+# Squid will start more in groups of up to idle=N in an attempt to meet
+# traffic needs and to keep idle=N free above those traffic needs up to
+# the maximum.
+#
+# The concurrency= option sets the number of concurrent requests the
+# helper can process. The default of 0 is used for helpers who only
+# supports one request at a time. Setting this to a number greater than
+# 0 changes the protocol used to include a channel number first on the
+# request/response line, allowing multiple requests to be sent to the
+# same helper in parallel without waiting for the response.
+# Must not be set unless it's known the helper supports this.
+#
+# auth_param digest children 20 startup=0 idle=1
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
@@ -236,7 +428,7 @@
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behavior
# for nonce counts, or just incrementing (off - for use when
-# useragents generate nonce counts that occasionally miss 1
+# user agents generate nonce counts that occasionally miss 1
# (ie, 1,2,4,6)). Default off.
#
# "check_nonce_count" on|off
@@ -257,28 +449,34 @@
# Such a program reads exchanged NTLMSSP packets with
# the browser via Squid until authentication is completed.
# If you use an NTLM authenticator, make sure you have 1 acl
-# of type proxy_auth. By default, the NTLM authenticator_program
+# of type proxy_auth. By default, the NTLM authenticator program
# is not used.
#
# auth_param ntlm program /usr/bin/ntlm_auth
#
-# "children" numberofchildren
-# The number of authenticator processes to spawn (no default).
+# "children" numberofchildren [startup=N] [idle=N]
+# The maximum number of authenticator processes to spawn (default 5).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When credential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
#
-# auth_param ntlm children 5
+# The startup= and idle= options permit some skew in the exact amount
+# run. A minimum of startup=N will begin during startup and reconfigure.
+# Squid will start more in groups of up to idle=N in an attempt to meet
+# traffic needs and to keep idle=N free above those traffic needs up to
+# the maximum.
+#
+# auth_param ntlm children 20 startup=0 idle=1
#
# "keep_alive" on|off
-# Whether to keep the connection open after the initial response where
-# Squid tells the browser which schemes are supported by the proxy.
-# Some browsers are known to present many login popups or to corrupt
-# POST/PUT requests transfer if the connection is not closed.
-# The default is currently OFF to avoid this, but may change.
-#
+# If you experience problems with PUT/POST requests when using the
+# Negotiate authentication scheme then you can try setting this to
+# off. This will cause Squid to forcibly close the connection on
+# the initial requests where the browser asks which schemes are
+# supported by the proxy.
+#
# auth_param ntlm keep_alive on
#
# === Options for configuring the NEGOTIATE auth-scheme follow ===
@@ -291,51 +489,58 @@
# using the Kerberos mechanisms.
# If you use a Negotiate authenticator, make sure you have at least
# one acl of type proxy_auth active. By default, the negotiate
-# authenticator_program is not used.
+# authenticator program is not used.
# The only supported program for this role is the ntlm_auth
# program distributed as part of Samba, version 4 or later.
#
# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
#
-# "children" numberofchildren
-# The number of authenticator processes to spawn (no default).
+# "children" numberofchildren [startup=N] [idle=N]
+# The maximum number of authenticator processes to spawn (default 5).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
-# down. When crendential verifications are done via a (slow)
+# down. When credential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
-# auth_param negotiate children 5
+#
+# The startup= and idle= options permit some skew in the exact amount
+# run. A minimum of startup=N will begin during startup and reconfigure.
+# Squid will start more in groups of up to idle=N in an attempt to meet
+# traffic needs and to keep idle=N free above those traffic needs up to
+# the maximum.
+#
+# auth_param negotiate children 20 startup=0 idle=1
#
# "keep_alive" on|off
-# Whether to keep the connection open after the initial response where
-# Squid tells the browser which schemes are supported by the proxy.
-# Some browsers are known to present many login popups or to corrupt
-# POST/PUT requests transfer if the connection is not closed.
-# The default is currently OFF to avoid this, but may change.
-#
-# auth_param negotiate keep_alive on
+# If you experience problems with PUT/POST requests when using the
+# Negotiate authentication scheme then you can try setting this to
+# off. This will cause Squid to forcibly close the connection on
+# the initial requests where the browser asks which schemes are
+# supported by the proxy.
#
+# auth_param negotiate keep_alive on
#
+#
# Examples:
#
##Recommended minimum configuration per scheme:
##auth_param negotiate program <uncomment and complete this line to activate>
-##auth_param negotiate children 5
+##auth_param negotiate children 20 startup=0 idle=1
##auth_param negotiate keep_alive on
##
##auth_param ntlm program <uncomment and complete this line to activate>
-##auth_param ntlm children 5
+##auth_param ntlm children 20 startup=0 idle=1
##auth_param ntlm keep_alive on
##
##auth_param digest program <uncomment and complete this line>
-##auth_param digest children 5
+##auth_param digest children 20 startup=0 idle=1
##auth_param digest realm Squid proxy-caching web server
##auth_param digest nonce_garbage_interval 5 minutes
##auth_param digest nonce_max_duration 30 minutes
##auth_param digest nonce_max_count 50
##
##auth_param basic program <uncomment and complete this line>
-##auth_param basic children 5
+##auth_param basic children 5 startup=5 idle=1
##auth_param basic realm Squid proxy-caching web server
##auth_param basic credentialsttl 2 hours
#Default:
@@ -343,7 +548,7 @@
# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
-# This is a tradeoff between memory utilization (long intervals - say
+# This is a trade-off between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#Default:
@@ -362,11 +567,11 @@
# this directive controls how long Squid remembers the IP
# addresses associated with each user. Use a small value
# (e.g., 60 seconds) if your users might change addresses
-# quickly, as is the case with dialups. You might be safe
+# quickly, as is the case with dialup. You might be safe
# using a larger value (e.g., 2 hours) in a corporate LAN
# environment with relatively static address assignments.
#Default:
-# authenticate_ip_ttl 0 seconds
+# authenticate_ip_ttl 1 second
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
@@ -381,25 +586,50 @@
#
# ttl=n TTL in seconds for cached results (defaults to 3600
# for 1 hour)
+#
# negative_ttl=n
# TTL for cached negative lookups (default same
# as ttl)
-# children=n Number of acl helper processes spawn to service
-# external acl lookups of this type. (default 5)
-# concurrency=n concurrency level per process. Only used with helpers
-# capable of processing more than one query at a time.
-# cache=n result cache size, 0 is unbounded (default)
+#
# grace=n Percentage remaining of TTL where a refresh of a
# cached entry should be initiated without needing to
-# wait for a new reply. (default 0 for no grace period)
-# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+# wait for a new reply. (default is for no grace period)
+#
+# cache=n Limit the result cache size, default is 262144.
+# The expanded FORMAT value is used as the cache key, so
+# if the details in FORMAT are highly variable a larger
+# cache may be needed to produce reduction in helper load.
+#
+# children-max=n
+# Maximum number of acl helper processes spawned to service
+# external acl lookups of this type. (default 20)
+#
+# children-startup=n
+# Minimum number of acl helper processes to spawn during
+# startup and reconfigure to service external acl lookups
+# of this type. (default 0)
+#
+# children-idle=n
+# Number of acl helper processes to keep ahead of traffic
+# loads. Squid will spawn this many at once whenever load
+# rises above the capabilities of existing processes.
+# Up to the value of children-max. (default 1)
+#
+# concurrency=n concurrency level per process. Only used with helpers
+# capable of processing more than one query at a time.
+#
+# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
+#
# ipv4 / ipv6 IP protocol used to communicate with this helper.
# The default is to auto-detect IPv6 and use it when available.
#
+#
# FORMAT specifications
#
# %LOGIN Authenticated user login name
-# %EXT_USER Username from external acl
+# %EXT_USER Username from previous external acl
+# %EXT_LOG Log details from previous external acl
+# %EXT_TAG Tag from previous external acl
# %IDENT Ident user name
# %SRC Client IP
# %SRCPORT Client source port
@@ -415,7 +645,7 @@
# %USER_CERT SSL User certificate in PEM format
# %USER_CERTCHAIN SSL User certificate chain in PEM format
# %USER_CERT_xx SSL User certificate subject attribute xx
-# %USER_CA_xx SSL User certificate issuer attribute xx
+# %USER_CA_CERT_xx SSL User certificate issuer attribute xx
#
# %>{Header} HTTP request header "Header"
# %>{Hdr:member}
@@ -433,43 +663,97 @@
# list separator. ; can be any non-alphanumeric
# character.
#
+# %ACL The name of the ACL being tested.
+# %DATA The ACL arguments. If not used then any arguments
+# is automatically added at the end of the line
+# sent to the helper.
+# NOTE: this will encode the arguments as one token,
+# whereas the default will pass each separately.
+#
# %% The percent sign. Useful for helpers which need
# an unchanging input format.
#
-# In addition to the above, any string specified in the referencing
-# acl will also be included in the helper request line, after the
-# specified formats (see the "acl external" directive)
#
-# The helper receives lines per the above format specification,
-# and returns lines starting with OK or ERR indicating the validity
-# of the request and optionally followed by additional keywords with
-# more details.
+# General request syntax:
+#
+# [channel-ID] FORMAT-values [acl-values ...]
+#
+#
+# FORMAT-values consists of transaction details expanded with
+# whitespace separation per the config file FORMAT specification
+# using the FORMAT macros listed above.
+#
+# acl-values consists of any string specified in the referencing
+# config 'acl ... external' line. see the "acl external" directive.
+#
+# Request values sent to the helper are URL escaped to protect
+# each value in requests against whitespaces.
+#
+# If using protocol=2.5 then the request sent to the helper is not
+# URL escaped to protect against whitespace.
+#
+# NOTE: protocol=3.0 is deprecated as no longer necessary.
+#
+# When using the concurrency= option the protocol is changed by
+# introducing a query channel tag in front of the request/response.
+# The query channel tag is a number between 0 and concurrency-1.
+# This value must be echoed back unchanged to Squid as the first part
+# of the response relating to its request.
+#
+#
+# The helper receives lines expanded per the above format specification
+# and for each input line returns 1 line starting with OK/ERR/BH result
+# code and optionally followed by additional keywords with more details.
+#
#
# General result syntax:
#
-# OK/ERR keyword=value ...
+# [channel-ID] result keyword=value ...
+#
+# Result consists of one of the codes:
+#
+# OK
+# the ACL test produced a match.
+#
+# ERR
+# the ACL test does not produce a match.
+#
+# BH
+# An internal error occurred in the helper, preventing
+# a result being identified.
+#
+# The meaning of 'a match' is determined by your squid.conf
+# access control configuration. See the Squid wiki for details.
#
# Defined keywords:
#
# user= The users name (login)
+#
# password= The users password (for login= cache_peer option)
-# message= Message describing the reason. Available as %o
-# in error pages
-# tag= Apply a tag to a request (for both ERR and OK results)
-# Only sets a tag, does not alter existing tags.
+#
+# message= Message describing the reason for this response.
+# Available as %o in error pages.
+# Useful on (ERR and BH results).
+#
+# tag= Apply a tag to a request. Only sets a tag once,
+# does not alter existing tags.
+#
# log= String to be logged in access.log. Available as
-# %ea in logformat specifications
+# %ea in logformat specifications.
#
-# If protocol=3.0 (the default) then URL escaping is used to protect
-# each value in both requests and responses.
+# Any keywords may be sent on any response whether OK, ERR or BH.
#
-# If using protocol=2.5 then all values need to be enclosed in quotes
-# if they may contain whitespace, or the whitespace escaped using \.
-# And quotes or \ characters within the keyword value must be \ escaped.
+# All response keyword values need to be a single token with URL
+# escaping, or enclosed in double quotes (") and escaped using \ on
+# any double quotes or \ characters within the value. The wrapping
+# double quotes are removed before the value is interpreted by Squid.
+# \r and \n are also replace by CR and LF.
#
-# When using the concurrency= option the protocol is changed by
-# introducing a query channel tag infront of the request/response.
-# The query channel tag is a number between 0 and concurrency-1.
+# Some example key values:
+#
+# user=John%20Smith
+# user="John Smith"
+# user="J. \"Bob\" Smith"
#Default:
# none
@@ -485,9 +769,23 @@
#
# When using "file", the file should contain one item per line.
#
-# By default, regular expressions are CASE-SENSITIVE.
-# To make them case-insensitive, use the -i option. To return case-sensitive
-# use the +i option between patterns, or make a new ACL line without -i.
+# Some acl types supports options which changes their default behaviour.
+# The available options are:
+#
+# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
+# case-insensitive, use the -i option. To return case-sensitive
+# use the +i option between patterns, or make a new ACL line
+# without -i.
+#
+# -n Disable lookups and address type conversions. If lookup or
+# conversion is required because the parameter type (IP or
+# domain name) does not match the message address type (domain
+# name or IP), then the ACL would immediately declare a mismatch
+# without any warnings or lookups.
+#
+# -- Used to stop processing all options, in the case the first acl
+# value has '-' character as first character (for example the '-'
+# is a valid domain name)
#
# Some acl types require suspending the current request in order
# to access some external data source.
@@ -498,10 +796,10 @@
#
# ***** ACL TYPES AVAILABLE *****
#
-# acl aclname src ip-address/netmask ... # clients IP address [fast]
-# acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
-# acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
-# acl aclname myip ip-address/netmask ... # local socket IP address [fast]
+# acl aclname src ip-address/mask ... # clients IP address [fast]
+# acl aclname src addr1-addr2/mask ... # range of addresses [fast]
+# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
+# acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
@@ -516,11 +814,11 @@
#
# acl aclname srcdomain .foo.com ...
# # reverse lookup, from client IP [slow]
-# acl aclname dstdomain .foo.com ...
+# acl aclname dstdomain [-n] .foo.com ...
# # Destination server from URL [fast]
# acl aclname srcdom_regex [-i] \.foo\.com ...
# # regex matching client name [slow]
-# acl aclname dstdom_regex [-i] \.foo\.com ...
+# acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
# # regex matching server [fast]
# #
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
@@ -557,12 +855,16 @@
#
# acl aclname url_regex [-i] ^http:// ...
# # regex matching on whole URL [fast]
+# acl aclname urllogin [-i] [^a-zA-Z0-9] ...
+# # regex matching on URL login field
# acl aclname urlpath_regex [-i] \.gif$ ...
# # regex matching on URL path [fast]
#
# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
# # ranges are alloed
-# acl aclname myport 3128 ... # local socket TCP port [fast]
+# acl aclname localport 3128 ... # TCP port the client connected to [fast]
+# # NP: for interception mode this is usually '80'
+#
# acl aclname myportname 3128 ... # http(s)_port name [fast]
#
# acl aclname proto HTTP FTP ... # request protocol [fast]
@@ -632,6 +934,11 @@
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
+# acl aclname random probability
+# # Pseudo-randomly match requests. Based on the probability given.
+# # Probability may be written as a decimal (0.333), fraction (1/3)
+# # or ratio of matches:non-matches (3:5).
+#
# acl aclname req_mime_type [-i] mime-type ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
@@ -677,6 +984,47 @@
# acl aclname tag tagvalue ...
# # string match on tag returned by external acl helper [slow]
#
+# acl aclname hier_code codename ...
+# # string match against squid hierarchy code(s); [fast]
+# # e.g., DIRECT, PARENT_HIT, NONE, etc.
+# #
+# # NOTE: This has no effect in http_access rules. It only has
+# # effect in rules that affect the reply data stream such as
+# # http_reply_access.
+#
+# acl aclname note name [value ...]
+# # match transaction annotation [fast]
+# # Without values, matches any annotation with a given name.
+# # With value(s), matches any annotation with a given name that
+# # also has one of the given values.
+# # Names and values are compared using a string equality test.
+# # Annotation sources include note and adaptation_meta directives
+# # as well as helper and eCAP responses.
+#
+# acl aclname any-of acl1 acl2 ...
+# # match any one of the acls [fast or slow]
+# # The first matching ACL stops further ACL evaluation.
+# #
+# # ACLs from multiple any-of lines with the same name are ORed.
+# # For example, A = (a1 or a2) or (a3 or a4) can be written as
+# # acl A any-of a1 a2
+# # acl A any-of a3 a4
+# #
+# # This group ACL is fast if all evaluated ACLs in the group are fast
+# # and slow otherwise.
+#
+# acl aclname all-of acl1 acl2 ...
+# # match all of the acls [fast or slow]
+# # The first mismatching ACL stops further ACL evaluation.
+# #
+# # ACLs from multiple all-of lines with the same name are ORed.
+# # For example, B = (b1 and b2) or (b3 and b4) can be written as
+# # acl B all-of b1 b2
+# # acl B all-of b3 b4
+# #
+# # This group ACL is fast if all evaluated ACLs in the group are fast
+# # and slow otherwise.
+#
# Examples:
# acl macaddress arp 09:00:2b:23:45:67
# acl myexample dst_as 1241
@@ -685,14 +1033,11 @@
# acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
-# acl all src all
+# ACLs all, manager, localhost, and to_localhost are predefined.
#
#
# Recommended minimum configuration:
#
-acl manager proto cache_object
-acl localhost src 127.0.0.1/32 ::1
-acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
@@ -739,8 +1084,8 @@ acl CONNECT method CONNECT
# refer to as the indirect client address. This address may
# be treated as the client address for access control, ICAP, delay
# pools and logging, depending on the acl_uses_indirect_client,
-# icap_uses_indirect_client, delay_pool_uses_indirect_client and
-# log_uses_indirect_client options.
+# icap_uses_indirect_client, delay_pool_uses_indirect_client,
+# log_uses_indirect_client and tproxy_uses_indirect_client options.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -761,7 +1106,7 @@ acl CONNECT method CONNECT
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#Default:
-# follow_x_forwarded_for deny all
+# X-Forwarded-For header will be ignored.
# TAG: acl_uses_indirect_client on|off
# Controls whether the indirect client address
@@ -775,7 +1120,7 @@ acl CONNECT method CONNECT
# TAG: delay_pool_uses_indirect_client on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-follow-x-forwarded-for and --enable-delay-pools option
+# --enable-follow-x-forwarded-for and --enable-delay-pools
#
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
@@ -790,6 +1135,37 @@ acl CONNECT method CONNECT
#Default:
# log_uses_indirect_client on
+# TAG: tproxy_uses_indirect_client on|off
+# Controls whether the indirect client address
+# (see follow_x_forwarded_for) is used instead of the
+# direct client address when spoofing the outgoing client.
+#
+# This has no effect on requests arriving in non-tproxy
+# mode ports.
+#
+# SECURITY WARNING: Usage of this option is dangerous
+# and should not be used trivially. Correct configuration
+# of follow_x_forewarded_for with a limited set of trusted
+# sources is required to prevent abuse of your proxy.
+#Default:
+# tproxy_uses_indirect_client off
+
+# TAG: spoof_client_ip
+# Control client IP address spoofing of TPROXY traffic based on
+# defined access lists.
+#
+# spoof_client_ip allow|deny [!]aclname ...
+#
+# If there are no "spoof_client_ip" lines present, the default
+# is to "allow" spoofing of any suitable request.
+#
+# Note that the cache_peer "no-tproxy" option overrides this ACL.
+#
+# This clause supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow spoofing on all TPROXY traffic.
+
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
@@ -812,22 +1188,22 @@ acl CONNECT method CONNECT
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#Default:
-# http_access deny all
+# Deny, unless rules exist in squid.conf.
#
#
# Recommended minimum Access Permission configuration:
#
-# Only allow cachemgr access from localhost
-http_access allow manager localhost
-http_access deny manager
-
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
@@ -855,7 +1231,7 @@ http_access deny all
#
# If not set then only http_access is used.
#Default:
-# none
+# Allow, unless rules exist in squid.conf.
# TAG: http_reply_access
# Allow replies to client requests. This is complementary to http_access.
@@ -863,7 +1239,7 @@ http_access deny all
# http_reply_access allow|deny [!] aclname ...
#
# NOTE: if there are no access lines present, the default is to allow
-# all replies
+# all replies.
#
# If none of the access lines cause a match the opposite of the
# last line will apply. Thus it is good practice to end the rules
@@ -872,7 +1248,7 @@ http_access deny all
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# none
+# Allow, unless rules exist in squid.conf.
# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
@@ -880,7 +1256,9 @@ http_access deny all
#
# icp_access allow|deny [!]aclname ...
#
-# See http_access for details
+# NOTE: The default if no icp_access lines are present is to
+# deny all traffic. This default may cause problems with peers
+# using ICP.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -889,7 +1267,7 @@ http_access deny all
##icp_access allow localnet
##icp_access deny all
#Default:
-# icp_access deny all
+# Deny, unless rules exist in squid.conf.
# TAG: htcp_access
# Allowing or Denying access to the HTCP port based on defined
@@ -897,11 +1275,12 @@ http_access deny all
#
# htcp_access allow|deny [!]aclname ...
#
-# See http_access for details
+# See also htcp_clr_access for details on access control for
+# cache purge (CLR) HTCP messages.
#
# NOTE: The default if no htcp_access lines are present is to
# deny all traffic. This default may cause problems with peers
-# using the htcp or htcp-oldsquid options.
+# using the htcp option.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -910,24 +1289,24 @@ http_access deny all
##htcp_access allow localnet
##htcp_access deny all
#Default:
-# htcp_access deny all
+# Deny, unless rules exist in squid.conf.
# TAG: htcp_clr_access
# Allowing or Denying access to purge content using HTCP based
-# on defined access lists
+# on defined access lists.
+# See htcp_access for details on general HTCP access control.
#
# htcp_clr_access allow|deny [!]aclname ...
#
-# See http_access for details
-#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow HTCP CLR requests from trusted peers
-#acl htcp_clr_peer src 172.16.1.2
+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
#htcp_clr_access allow htcp_clr_peer
+#htcp_clr_access deny all
#Default:
-# htcp_clr_access deny all
+# Deny, unless rules exist in squid.conf.
# TAG: miss_access
# Determins whether network access is permitted when satisfying a request.
@@ -936,22 +1315,21 @@ http_access deny all
# to force your neighbors to use you as a sibling instead of
# a parent.
#
-# acl localclients src 172.16.0.0/16
-# miss_access allow localclients
+# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
# miss_access deny !localclients
+# miss_access allow all
#
# This means only your local clients are allowed to fetch relayed/MISS
# replies from the network and all other clients can only fetch cached
# objects (HITs).
#
-#
# The default for this setting allows all clients who passed the
# http_access rules to relay via this proxy.
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# miss_access allow all
+# Allow, unless rules exist in squid.conf.
# TAG: ident_lookup_access
# A list of ACL elements which, if matched, cause an ident
@@ -975,7 +1353,7 @@ http_access deny all
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# ident_lookup_access deny all
+# Unless rules exist in squid.conf, IDENT is not fetched.
# TAG: reply_body_max_size size [acl acl...]
# This option specifies the maximum size of a reply body. It can be
@@ -1012,23 +1390,22 @@ http_access deny all
# reply_body_max_size 10 MB
#
#Default:
-# none
+# No limit is applied.
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
# TAG: http_port
-# Usage: port [options]
-# hostname:port [options]
-# 1.2.3.4:port [options]
+# Usage: port [mode] [options]
+# hostname:port [mode] [options]
+# 1.2.3.4:port [mode] [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
-# address. This replaces the old 'tcp_incoming_address'
-# option. Most likely, you do not need to bind to a specific
+# address. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# If you are running Squid in accelerator mode, you
@@ -1040,7 +1417,7 @@ http_access deny all
#
# You may specify multiple socket addresses on multiple lines.
#
-# Options:
+# Modes:
#
# intercept Support for IP-Layer interception of
# outgoing requests without browser settings.
@@ -1050,38 +1427,161 @@ http_access deny all
# connections using the client IP address.
# NP: disables authentication and maybe IPv6 on the port.
#
-# accel Accelerator mode. Also needs at least one of
-# vhost / vport / defaultsite.
+# accel Accelerator / reverse proxy mode
#
-# allow-direct Allow direct forwarding in accelerator mode. Normally
-# accelerated requests are denied direct forwarding as if
-# never_direct was used.
+# ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
+# establish secure connection with the client and with
+# the server, decrypt HTTPS messages as they pass through
+# Squid, and treat them as unencrypted HTTP messages,
+# becoming the man-in-the-middle.
+#
+# The ssl_bump option is required to fully enable
+# bumping of CONNECT requests.
+#
+# Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+# Accelerator Mode Options:
#
# defaultsite=domainname
# What to use for the Host: header if it is not present
# in a request. Determines what site (not origin server)
# accelerators should consider the default.
-# Implies accel.
#
-# vhost Accelerator mode using Host header for virtual domain support.
-# Also uses the port as specified in Host: header unless
-# overridden by the vport option. Implies accel.
+# no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
+#
+# protocol= Protocol to reconstruct accelerated requests with.
+# Defaults to http for http_port and https for
+# https_port
#
# vport Virtual host port support. Using the http_port number
-# instead of the port passed on Host: headers. Implies accel.
+# instead of the port passed on Host: headers.
#
# vport=NN Virtual host port support. Using the specified port
# number instead of the port passed on Host: headers.
-# Implies accel.
#
-# protocol= Protocol to reconstruct accelerated requests with.
-# Defaults to http.
+# act-as-origin
+# Act as if this Squid is the origin server.
+# This currently means generate new Date: and Expires:
+# headers on HIT instead of adding Age:.
#
# ignore-cc Ignore request Cache-Control headers.
#
-# Warning: This option violates HTTP specifications if
+# WARNING: This option violates HTTP specifications if
# used in non-accelerator setups.
#
+# allow-direct Allow direct forwarding in accelerator mode. Normally
+# accelerated requests are denied direct forwarding as if
+# never_direct was used.
+#
+# WARNING: this option opens accelerator mode to security
+# vulnerabilities usually only affecting in interception
+# mode. Make sure to protect forwarding with suitable
+# http_access rules when using this.
+#
+#
+# SSL Bump Mode Options:
+# In addition to these options ssl-bump requires TLS/SSL options.
+#
+# generate-host-certificates[=<on|off>]
+# Dynamically create SSL server certificates for the
+# destination hosts of bumped CONNECT requests.When
+# enabled, the cert and key options are used to sign
+# generated certificates. Otherwise generated
+# certificate will be selfsigned.
+# If there is a CA certificate lifetime of the generated
+# certificate equals lifetime of the CA certificate. If
+# generated certificate is selfsigned lifetime is three
+# years.
+# This option is enabled by default when ssl-bump is used.
+# See the ssl-bump option above for more information.
+#
+# dynamic_cert_mem_cache_size=SIZE
+# Approximate total RAM size spent on cached generated
+# certificates. If set to zero, caching is disabled. The
+# default value is 4MB.
+#
+# TLS / SSL Options:
+#
+# cert= Path to SSL certificate (PEM format).
+#
+# key= Path to SSL private key file (PEM format)
+# if not specified, the certificate file is
+# assumed to be a combined certificate and
+# key file.
+#
+# version= The version of SSL/TLS supported
+# 1 automatic (default)
+# 2 SSLv2 only
+# 3 SSLv3 only
+# 4 TLSv1.0 only
+# 5 TLSv1.1 only
+# 6 TLSv1.2 only
+#
+# cipher= Colon separated list of supported ciphers.
+# NOTE: some ciphers such as EDH ciphers depend on
+# additional settings. If those settings are
+# omitted the ciphers may be silently ignored
+# by the OpenSSL library.
+#
+# options= Various SSL implementation options. The most important
+# being:
+# NO_SSLv2 Disallow the use of SSLv2
+# NO_SSLv3 Disallow the use of SSLv3
+# NO_TLSv1 Disallow the use of TLSv1.0
+# NO_TLSv1_1 Disallow the use of TLSv1.1
+# NO_TLSv1_2 Disallow the use of TLSv1.2
+# SINGLE_DH_USE Always create a new key when using
+# temporary/ephemeral DH key exchanges
+# ALL Enable various bug workarounds
+# suggested as "harmless" by OpenSSL
+# Be warned that this reduces SSL/TLS
+# strength to some attacks.
+# See OpenSSL SSL_CTX_set_options documentation for a
+# complete list of options.
+#
+# clientca= File containing the list of CAs to use when
+# requesting a client certificate.
+#
+# cafile= File containing additional CA certificates to
+# use when verifying client certificates. If unset
+# clientca will be used.
+#
+# capath= Directory containing additional CA certificates
+# and CRL lists to use when verifying client certificates.
+#
+# crlfile= File of additional CRL lists to use when verifying
+# the client certificate, in addition to CRLs stored in
+# the capath. Implies VERIFY_CRL flag below.
+#
+# dhparams= File containing DH parameters for temporary/ephemeral
+# DH key exchanges. See OpenSSL documentation for details
+# on how to create this file.
+# WARNING: EDH ciphers will be silently disabled if this
+# option is not set.
+#
+# sslflags= Various flags modifying the use of SSL:
+# DELAYED_AUTH
+# Don't request client certificates
+# immediately, but wait until acl processing
+# requires a certificate (not yet implemented).
+# NO_DEFAULT_CA
+# Don't use the default CA lists built in
+# to OpenSSL.
+# NO_SESSION_REUSE
+# Don't allow for session reuse. Each connection
+# will result in a new SSL session.
+# VERIFY_CRL
+# Verify CRL lists when accepting client
+# certificates.
+# VERIFY_CRL_ALL
+# Verify CRL lists for all certificates in the
+# client certificate chain.
+#
+# sslcontext= SSL session ID context identifier.
+#
+# Other Options:
+#
# connection-auth[=on|off]
# use connection-auth=off to tell Squid to prevent
# forwarding Microsoft connection oriented authentication
@@ -1103,22 +1603,6 @@ http_access deny all
# sporadically hang or never complete requests set
# disable-pmtu-discovery option to 'transparent'.
#
-# ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
-# establish secure connection with the client and with
-# the server, decrypt HTTP messages as they pass through
-# Squid, and treat them as unencrypted HTTP messages,
-# becoming the man-in-the-middle.
-#
-# When this option is enabled, additional options become
-# available to specify SSL-related properties of the
-# client-side connection: cert, key, version, cipher,
-# options, clientca, cafile, capath, crlfile, dhparams,
-# sslflags, and sslcontext. See the https_port directive
-# for more information on these options.
-#
-# The ssl_bump option is required to fully enable
-# the SslBump feature.
-#
# name= Specifies a internal name for the port. Defaults to
# the port specification (port or addr:port)
#
@@ -1140,35 +1624,49 @@ http_port 3128
# TAG: https_port
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
-# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
+# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
#
-# The socket address where Squid will listen for HTTPS client
-# requests.
+# The socket address where Squid will listen for client requests made
+# over TLS or SSL connections. Commonly referred to as HTTPS.
#
-# This is really only useful for situations where you are running
-# squid in accelerator mode and you want to do the SSL work at the
-# accelerator level.
+# This is most useful for situations where you are running squid in
+# accelerator mode and you want to do the SSL work at the accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
-# Options:
+# Modes:
+#
+# accel Accelerator / reverse proxy mode
+#
+# intercept Support for IP-Layer interception of
+# outgoing requests without browser settings.
+# NP: disables authentication and IPv6 on the port.
+#
+# tproxy Support Linux TPROXY for spoofing outgoing
+# connections using the client IP address.
+# NP: disables authentication and maybe IPv6 on the port.
#
-# accel Accelerator mode. Also needs at least one of
-# defaultsite or vhost.
+# ssl-bump For each intercepted connection allowed by ssl_bump
+# ACLs, establish a secure connection with the client and with
+# the server, decrypt HTTPS messages as they pass through
+# Squid, and treat them as unencrypted HTTP messages,
+# becoming the man-in-the-middle.
#
-# defaultsite= The name of the https site presented on
-# this port. Implies accel.
+# An "ssl_bump server-first" match is required to
+# fully enable bumping of intercepted SSL connections.
#
-# vhost Accelerator mode using Host header for virtual
-# domain support. Requires a wildcard certificate
-# or other certificate valid for more than one domain.
-# Implies accel.
+# Requires tproxy or intercept.
#
-# protocol= Protocol to reconstruct accelerated requests with.
-# Defaults to https.
+# Omitting the mode flag causes default forward proxy mode to be used.
+#
+#
+# See http_port for a list of generic options
+#
+#
+# SSL Options:
#
# cert= Path to SSL certificate (PEM format).
#
@@ -1184,10 +1682,6 @@ http_port 3128
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers.
-# NOTE: some ciphers such as EDH ciphers depend on
-# additional settings. If those settings are
-# omitted the ciphers may be silently ignored
-# by the OpenSSL library.
#
# options= Various SSL engine options. The most important
# being:
@@ -1196,8 +1690,8 @@ http_port 3128
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
-# See OpenSSL SSL_CTX_set_options documentation for a
-# complete list of options.
+# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
+# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate.
@@ -1214,10 +1708,7 @@ http_port 3128
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
-# DH key exchanges. See OpenSSL documentation for details
-# on how to create this file.
-# WARNING: EDH ciphers will be silently disabled if this
-# option is not set.
+# DH key exchanges.
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
@@ -1241,38 +1732,29 @@ http_port 3128
#
# generate-host-certificates[=<on|off>]
# Dynamically create SSL server certificates for the
-# destination hosts of bumped CONNECT requests.When
+# destination hosts of bumped SSL requests.When
# enabled, the cert and key options are used to sign
# generated certificates. Otherwise generated
# certificate will be selfsigned.
-# If there is CA certificate life time of generated
+# If there is CA certificate life time of generated
# certificate equals lifetime of CA certificate. If
-# generated certificate is selfsigned lifetime is three
+# generated certificate is selfsigned lifetime is three
# years.
# This option is enabled by default when SslBump is used.
# See the sslBump option above for more information.
-#
+#
# dynamic_cert_mem_cache_size=SIZE
# Approximate total RAM size spent on cached generated
# certificates. If set to zero, caching is disabled. The
-# default value is 4MB. An average XXX-bit certificate
-# consumes about XXX bytes of RAM.
-#
-# vport Accelerator with IP based virtual host support.
-#
-# vport=NN As above, but uses specified port number rather
-# than the https_port number. Implies accel.
-#
-# name= Specifies a internal name for the port. Defaults to
-# the port specification (port or addr:port)
+# default value is 4MB.
#
+# See http_port for a list of available options.
#Default:
# none
# TAG: tcp_outgoing_tos
-# Allows you to select a TOS/Diffserv value to mark outgoing
-# connections with, based on the username or source address
-# making the request.
+# Allows you to select a TOS/Diffserv value for packets outgoing
+# on the server side, based on an ACL.
#
# tcp_outgoing_tos ds-field [!]aclname ...
#
@@ -1295,38 +1777,97 @@ http_port 3128
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
-#
-# Note: The use of this directive using client dependent ACLs is
-# incompatible with the use of server side persistent connections. To
-# ensure correct results it is best to set server_persisten_connections
-# to off when using this directive in such configurations.
#Default:
# none
# TAG: clientside_tos
-# Allows you to select a TOS/Diffserv value to mark client-side
-# connections with, based on the username or source address
-# making the request.
+# Allows you to select a TOS/Diffserv value for packets being transmitted
+# on the client-side, based on an ACL.
+#
+# clientside_tos ds-field [!]aclname ...
+#
+# Example where normal_service_net uses the TOS value 0x00
+# and good_service_net uses 0x20
+#
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.1.0/24
+# clientside_tos 0x00 normal_service_net
+# clientside_tos 0x20 good_service_net
+#
+# Note: This feature is incompatible with qos_flows. Any TOS values set here
+# will be overwritten by TOS values in qos_flows.
#Default:
# none
-# TAG: qos_flows
+# TAG: tcp_outgoing_mark
+# Note: This option is only available if Squid is rebuilt with the
+# Packet MARK (Linux)
+#
+# Allows you to apply a Netfilter mark value to outgoing packets
+# on the server side, based on an ACL.
+#
+# tcp_outgoing_mark mark-value [!]aclname ...
+#
+# Example where normal_service_net uses the mark value 0x00
+# and good_service_net uses 0x20
+#
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.1.0/24
+# tcp_outgoing_mark 0x00 normal_service_net
+# tcp_outgoing_mark 0x20 good_service_net
+#Default:
+# none
+
+# TAG: clientside_mark
# Note: This option is only available if Squid is rebuilt with the
-# --enable-zph-qos option
+# Packet MARK (Linux)
+#
+# Allows you to apply a Netfilter mark value to packets being transmitted
+# on the client-side, based on an ACL.
+#
+# clientside_mark mark-value [!]aclname ...
#
+# Example where normal_service_net uses the mark value 0x00
+# and good_service_net uses 0x20
+#
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.1.0/24
+# clientside_mark 0x00 normal_service_net
+# clientside_mark 0x20 good_service_net
+#
+# Note: This feature is incompatible with qos_flows. Any mark values set here
+# will be overwritten by mark values in qos_flows.
+#Default:
+# none
+
+# TAG: qos_flows
# Allows you to select a TOS/DSCP value to mark outgoing
-# connections with, based on where the reply was sourced.
+# connections to the client, based on where the reply was sourced.
+# For platforms using netfilter, allows you to set a netfilter mark
+# value instead of, or in addition to, a TOS value.
+#
+# By default this functionality is disabled. To enable it with the default
+# settings simply use "qos_flows mark" or "qos_flows tos". Default
+# settings will result in the netfilter mark or TOS value being copied
+# from the upstream connection to the client. Note that it is the connection
+# CONNMARK value not the packet MARK value that is copied.
+#
+# It is not currently possible to copy the mark or TOS value from the
+# client to the upstream connection request.
#
# TOS values really only have local significance - so you should
# know what you're specifying. For more information, see RFC2474,
# RFC2475, and RFC3260.
#
-# The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
-# Note that in practice often only values up to 0x3F are usable
-# as the two highest bits have been redefined for use by ECN
-# (RFC3168).
+# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that
+# in practice often only multiples of 4 is usable as the two rightmost bits
+# have been redefined for use by ECN (RFC 3168 section 23.1).
+#
+# Mark values can be any unsigned 32-bit integer value.
+#
+# This setting is configured by setting the following values:
#
-# This setting is configured by setting the source TOS values:
+# tos|mark Whether to set TOS or netfilter mark values
#
# local-hit=0xFF Value to mark local cache hits.
#
@@ -1334,23 +1875,37 @@ http_port 3128
#
# parent-hit=0xFF Value to mark hits from parent peers.
#
+# miss=0xFF[/mask] Value to mark cache misses. Takes precedence
+# over the preserve-miss feature (see below), unless
+# mask is specified, in which case only the bits
+# specified in the mask are written.
#
-# NOTE: 'miss' preserve feature is only possible on Linux at this time.
-#
-# For the following to work correctly, you will need to patch your
-# linux kernel with the TOS preserving ZPH patch.
-# The kernel patch can be downloaded from http://zph.bratcheda.org
+# The TOS variant of the following features are only possible on Linux
+# and require your kernel to be patched with the TOS preserving ZPH
+# patch, available from http://zph.bratcheda.org
+# No patch is needed to preserve the netfilter mark, which will work
+# with all variants of netfilter.
#
# disable-preserve-miss
-# By default, the existing TOS value of the response coming
-# from the remote server will be retained and masked with
-# miss-mark. This option disables that feature.
+# This option disables the preservation of the TOS or netfilter
+# mark. By default, the existing TOS or netfilter mark value of
+# the response coming from the remote server will be retained
+# and masked with miss-mark.
+# NOTE: in the case of a netfilter mark, the mark must be set on
+# the connection (using the CONNMARK target) not on the packet
+# (MARK target).
#
# miss-mask=0xFF
-# Allows you to mask certain bits in the TOS received from the
-# remote server, before copying the value to the TOS sent
-# towards clients.
-# Default: 0xFF (TOS from server is not changed).
+# Allows you to mask certain bits in the TOS or mark value
+# received from the remote server, before copying the value to
+# the TOS sent towards clients.
+# Default for tos: 0xFF (TOS from server is not changed).
+# Default for mark: 0xFFFFFFFF (mark from server is not changed).
+#
+# All of these features require the --enable-zph-qos compilation flag
+# (enabled by default). Netfilter marking also requires the
+# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
+# libcap 2.09+ (--with-libcap).
#
#Default:
# none
@@ -1362,72 +1917,133 @@ http_port 3128
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
-# Example where requests from 10.0.0.0/24 will be forwarded
-# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
-# source address 10.1.0.2 and the rest will be forwarded with
-# source address 10.1.0.3.
-#
-# acl normal_service_net src 10.0.0.0/24
-# acl good_service_net src 10.0.2.0/24
-# tcp_outgoing_address 10.1.0.1 normal_service_net
-# tcp_outgoing_address 10.1.0.2 good_service_net
-# tcp_outgoing_address 10.1.0.3
-#
-# Processing proceeds in the order specified, and stops at first fully
-# matching line.
-#
-# Note: The use of this directive using client dependent ACLs is
-# incompatible with the use of server side persistent connections. To
-# ensure correct results it is best to set server_persistent_connections
-# to off when using this directive in such configurations.
-#
+# For example;
+# Forwarding clients with dedicated IPs for certain subnets.
#
-# IPv6 Magic:
+# acl normal_service_net src 10.0.0.0/24
+# acl good_service_net src 10.0.2.0/24
#
-# Squid is built with a capability of bridging the IPv4 and IPv6
-# internets.
-# tcp_outgoing_address as exampled above breaks this bridging by forcing
-# all outbound traffic through a certain IPv4 which may be on the wrong
-# side of the IPv4/IPv6 boundary.
+# tcp_outgoing_address 2001:db8::c001 good_service_net
+# tcp_outgoing_address 10.1.0.2 good_service_net
#
-# To operate with tcp_outgoing_address and keep the bridging benefits
-# an additional ACL needs to be used which ensures the IPv6-bound traffic
-# is never forced or permitted out the IPv4 interface.
+# tcp_outgoing_address 2001:db8::beef normal_service_net
+# tcp_outgoing_address 10.1.0.1 normal_service_net
#
-# # IPv6 destination test along with a dummy access control to perofrm the required DNS
-# # This MUST be place before any ALLOW rules.
-# acl to_ipv6 dst ipv6
-# http_access deny ipv6 !all
+# tcp_outgoing_address 2001:db8::1
+# tcp_outgoing_address 10.1.0.3
#
-# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
-# tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
+# Processing proceeds in the order specified, and stops at first fully
+# matching line.
#
-# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
-# tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
+# Squid will add an implicit IP version test to each line.
+# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
+# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
#
-# tcp_outgoing_address 2001:db8::1 to_ipv6
-# tcp_outgoing_address 10.1.0.3 !to_ipv6
#
-# WARNING:
-# 'dst ipv6' bases its selection assuming DIRECT access.
-# If peers are used the peername ACL are needed to select outgoing
-# address which can link to the peer.
+# NOTE: The use of this directive using client dependent ACLs is
+# incompatible with the use of server side persistent connections. To
+# ensure correct results it is best to set server_persistent_connections
+# to off when using this directive in such configurations.
#
-# 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
-# previously in the http_access rules to locate the destination IP.
-# Some more magic may be needed for that:
-# http_access allow to_ipv6 !all
-# (meaning, allow if to IPv6 but not from anywhere ;)
+# NOTE: The use of this directive to set a local IP on outgoing TCP links
+# is incompatible with using TPROXY to set client IP out outbound TCP links.
+# When needing to contact peers use the no-tproxy cache_peer option and the
+# client_dst_passthru directive re-enable normal forwarding such as this.
#
#Default:
-# none
+# Address selection is performed by the operating system.
+
+# TAG: host_verify_strict
+# Regardless of this option setting, when dealing with intercepted
+# traffic, Squid always verifies that the destination IP address matches
+# the Host header domain or IP (called 'authority form URL').
+#
+# This enforcement is performed to satisfy a MUST-level requirement in
+# RFC 2616 section 14.23: "The Host field value MUST represent the naming
+# authority of the origin server or gateway given by the original URL".
+#
+# When set to ON:
+# Squid always responds with an HTTP 409 (Conflict) error
+# page and logs a security warning if there is no match.
+#
+# Squid verifies that the destination IP address matches
+# the Host header for forward-proxy and reverse-proxy traffic
+# as well. For those traffic types, Squid also enables the
+# following checks, comparing the corresponding Host header
+# and Request-URI components:
+#
+# * The host names (domain or IP) must be identical,
+# but valueless or missing Host header disables all checks.
+# For the two host names to match, both must be either IP
+# or FQDN.
+#
+# * Port numbers must be identical, but if a port is missing
+# the scheme-default port is assumed.
+#
+#
+# When set to OFF (the default):
+# Squid allows suspicious requests to continue but logs a
+# security warning and blocks caching of the response.
+#
+# * Forward-proxy traffic is not checked at all.
+#
+# * Reverse-proxy traffic is not checked at all.
+#
+# * Intercepted traffic which passes verification is handled
+# according to client_dst_passthru.
+#
+# * Intercepted requests which fail verification are sent
+# to the client original destination instead of DIRECT.
+# This overrides 'client_dst_passthru off'.
+#
+# For now suspicious intercepted CONNECT requests are always
+# responded to with an HTTP 409 (Conflict) error page.
+#
+#
+# SECURITY NOTE:
+#
+# As described in CVE-2009-0801 when the Host: header alone is used
+# to determine the destination of a request it becomes trivial for
+# malicious scripts on remote websites to bypass browser same-origin
+# security policy and sandboxing protections.
+#
+# The cause of this is that such applets are allowed to perform their
+# own HTTP stack, in which case the same-origin policy of the browser
+# sandbox only verifies that the applet tries to contact the same IP
+# as from where it was loaded at the IP level. The Host: header may
+# be different from the connected IP and approved origin.
+#
+#Default:
+# host_verify_strict off
+
+# TAG: client_dst_passthru
+# With NAT or TPROXY intercepted traffic Squid may pass the request
+# directly to the original client destination IP or seek a faster
+# source using the HTTP Host header.
+#
+# Using Host to locate alternative servers can provide faster
+# connectivity with a range of failure recovery options.
+# But can also lead to connectivity trouble when the client and
+# server are attempting stateful interactions unaware of the proxy.
+#
+# This option (on by default) prevents alternative DNS entries being
+# located to send intercepted traffic DIRECT to an origin server.
+# The clients original destination IP and port will be used instead.
+#
+# Regardless of this option setting, when dealing with intercepted
+# traffic Squid will verify the Host: header and any traffic which
+# fails Host verification will be treated as if this option were ON.
+#
+# see host_verify_strict for details on the verification process.
+#Default:
+# client_dst_passthru on
# SSL OPTIONS
# -----------------------------------------------------------------------------
# TAG: ssl_unclean_shutdown
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
@@ -1436,7 +2052,7 @@ http_port 3128
# TAG: ssl_engine
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
@@ -1445,7 +2061,7 @@ http_port 3128
# TAG: sslproxy_client_certificate
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Client SSL Certificate to use when proxying https:// URLs
#Default:
@@ -1453,7 +2069,7 @@ http_port 3128
# TAG: sslproxy_client_key
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Client SSL Key to use when proxying https:// URLs
#Default:
@@ -1461,28 +2077,45 @@ http_port 3128
# TAG: sslproxy_version
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# SSL version level to use when proxying https:// URLs
+#
+# The versions of SSL/TLS supported:
+#
+# 1 automatic (default)
+# 2 SSLv2 only
+# 3 SSLv3 only
+# 4 TLSv1.0 only
+# 5 TLSv1.1 only
+# 6 TLSv1.2 only
#Default:
-# sslproxy_version 1
+# automatic SSL/TLS version negotiation
# TAG: sslproxy_options
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
-# SSL engine options to use when proxying https:// URLs
+# SSL implementation options to use when proxying https:// URLs
#
# The most important being:
#
-# NO_SSLv2 Disallow the use of SSLv2
-# NO_SSLv3 Disallow the use of SSLv3
-# NO_TLSv1 Disallow the use of TLSv1
-# SINGLE_DH_USE
-# Always create a new key when using
-# temporary/ephemeral DH key exchanges
+# NO_SSLv2 Disallow the use of SSLv2
+# NO_SSLv3 Disallow the use of SSLv3
+# NO_TLSv1 Disallow the use of TLSv1.0
+# NO_TLSv1_1 Disallow the use of TLSv1.1
+# NO_TLSv1_2 Disallow the use of TLSv1.2
+# SINGLE_DH_USE
+# Always create a new key when using temporary/ephemeral
+# DH key exchanges
+# SSL_OP_NO_TICKET
+# Disable use of RFC5077 session tickets. Some servers
+# may have problems understanding the TLS extension due
+# to ambiguous specification in RFC4507.
+# ALL Enable various bug workarounds suggested as "harmless"
+# by OpenSSL. Be warned that this may reduce SSL/TLS
+# strength to some attacks.
#
-# These options vary depending on your SSL engine.
# See the OpenSSL SSL_CTX_set_options documentation for a
# complete list of possible options.
#Default:
@@ -1490,7 +2123,7 @@ http_port 3128
# TAG: sslproxy_cipher
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# SSL cipher list to use when proxying https:// URLs
#
@@ -1500,7 +2133,7 @@ http_port 3128
# TAG: sslproxy_cafile
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
@@ -1509,7 +2142,7 @@ http_port 3128
# TAG: sslproxy_capath
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
@@ -1518,36 +2151,64 @@ http_port 3128
# TAG: ssl_bump
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
+#
+# This option is consulted when a CONNECT request is received on
+# an http_port (or a new connection is intercepted at an
+# https_port), provided that port was configured with an ssl-bump
+# flag. The subsequent data on the connection is either treated as
+# HTTPS and decrypted OR tunneled at TCP level without decryption,
+# depending on the first bumping "mode" which ACLs match.
+#
+# ssl_bump <mode> [!]acl ...
#
-# This ACL controls which CONNECT requests to an http_port
-# marked with an sslBump flag are actually "bumped". Please
-# see the sslBump flag of an http_port option for more details
-# about decoding proxied SSL connections.
+# The following bumping modes are supported:
#
-# By default, no requests are bumped.
+# client-first
+# Allow bumping of the connection. Establish a secure connection
+# with the client first, then connect to the server. This old mode
+# does not allow Squid to mimic server SSL certificate and does
+# not work with intercepted SSL connections.
+#
+# server-first
+# Allow bumping of the connection. Establish a secure connection
+# with the server first, then establish a secure connection with
+# the client, using a mimicked server certificate. Works with both
+# CONNECT requests and intercepted SSL connections.
+#
+# none
+# Become a TCP tunnel without decoding the connection.
+# Works with both CONNECT requests and intercepted SSL
+# connections. This is the default behavior when no
+# ssl_bump option is given or no ssl_bump ACLs match.
+#
+# By default, no connections are bumped.
+#
+# The first matching ssl_bump option wins. If no ACLs match, the
+# connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump
+# does not have an implicit "negate the last given option" rule. You
+# must make that rule explicit if you convert old ssl_bump allow/deny
+# rules that rely on such an implicit rule.
#
-# See also: http_port ssl-bump
-#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
+# See also: http_port ssl-bump, https_port ssl-bump
#
-# # Example: Bump all requests except those originating from localhost and
-# # those going to webax.com or example.com sites.
#
-# acl localhost src 127.0.0.1/32
-# acl broken_sites dstdomain .webax.com
+# # Example: Bump all requests except those originating from
+# # localhost or those going to example.com.
+#
# acl broken_sites dstdomain .example.com
-# ssl_bump deny localhost
-# ssl_bump deny broken_sites
-# ssl_bump allow all
+# ssl_bump none localhost
+# ssl_bump none broken_sites
+# ssl_bump server-first all
#Default:
-# none
+# Does not bump unless rules are present in squid.conf
# TAG: sslproxy_flags
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Various flags modifying the use of SSL while proxying https:// URLs:
# DONT_VERIFY_PEER Accept certificates that fail verification.
@@ -1559,16 +2220,16 @@ http_port 3128
# TAG: sslproxy_cert_error
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Use this ACL to bypass server certificate validation errors.
#
# For example, the following lines will bypass all validation errors
-# when talking to servers located at 172.16.0.0/16. All other
+# when talking to servers for example.com. All other
# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
#
-# acl BrokenServersAtTrustedIP dst 172.16.0.0/16
-# sslproxy_cert_error allow BrokenServersAtTrustedIP
+# acl BrokenButTrustedServers dstdomain example.com
+# sslproxy_cert_error allow BrokenButTrustedServers
# sslproxy_cert_error deny all
#
# This clause only supports fast acl types.
@@ -1576,19 +2237,107 @@ http_port 3128
# Using slow acl types may result in server crashes
#
# Without this option, all server certificate validation errors
-# terminate the transaction. Bypassing validation errors is dangerous
-# because an error usually implies that the server cannot be trusted and
-# the connection may be insecure.
+# terminate the transaction to protect Squid and the client.
+#
+# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+# but should not happen unless your OpenSSL library is buggy.
+#
+# SECURITY WARNING:
+# Bypassing validation errors is dangerous because an
+# error usually implies that the server cannot be trusted
+# and the connection may be insecure.
#
# See also: sslproxy_flags and DONT_VERIFY_PEER.
+#Default:
+# Server certificate errors terminate the transaction.
+
+# TAG: sslproxy_cert_sign
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl
+#
+#
+# sslproxy_cert_sign <signing algorithm> acl ...
+#
+# The following certificate signing algorithms are supported:
+#
+# signTrusted
+# Sign using the configured CA certificate which is usually
+# placed in and trusted by end-user browsers. This is the
+# default for trusted origin server certificates.
+#
+# signUntrusted
+# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
+# This is the default for untrusted origin server certificates
+# that are not self-signed (see ssl::certUntrusted).
+#
+# signSelf
+# Sign using a self-signed certificate with the right CN to
+# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
+# browser. This is the default for self-signed origin server
+# certificates (see ssl::certSelfSigned).
+#
+# This clause only supports fast acl types.
+#
+# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
+# signing algorithm to generate the certificate and ignores all
+# subsequent sslproxy_cert_sign options (the first match wins). If no
+# acl(s) match, the default signing algorithm is determined by errors
+# detected when obtaining and validating the origin server certificate.
+#
+# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+# CONNECT request that carries a domain name. In all other cases (CONNECT
+# to an IP address or an intercepted SSL connection), Squid cannot detect
+# the domain mismatch at certificate generation time when
+# bump-server-first is used.
+#Default:
+# none
+
+# TAG: sslproxy_cert_adapt
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl
+#
+#
+# sslproxy_cert_adapt <adaptation algorithm> acl ...
+#
+# The following certificate adaptation algorithms are supported:
+#
+# setValidAfter
+# Sets the "Not After" property to the "Not After" property of
+# the CA certificate used to sign generated certificates.
+#
+# setValidBefore
+# Sets the "Not Before" property to the "Not Before" property of
+# the CA certificate used to sign generated certificates.
+#
+# setCommonName or setCommonName{CN}
+# Sets Subject.CN property to the host name specified as a
+# CN parameter or, if no explicit CN parameter was specified,
+# extracted from the CONNECT request. It is a misconfiguration
+# to use setCommonName without an explicit parameter for
+# intercepted or tproxied SSL connections.
+#
+# This clause only supports fast acl types.
+#
+# Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
+# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
+# corresponding adaptation algorithm to generate the certificate and
+# ignores all subsequent sslproxy_cert_adapt options in that algorithm's
+# group (i.e., the first match wins within each algorithm group). If no
+# acl(s) match, the default mimicking action takes place.
#
-# Default setting: sslproxy_cert_error deny all
+# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
+# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
+# CONNECT request that carries a domain name. In all other cases (CONNECT
+# to an IP address or an intercepted SSL connection), Squid cannot detect
+# the domain mismatch at certificate generation time when
+# bump-server-first is used.
#Default:
# none
# TAG: sslpassword_program
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ssl option
+# --enable-ssl
#
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
@@ -1601,12 +2350,12 @@ http_port 3128
#Default:
# none
-#OPTIONS RELATING TO EXTERNAL SSL_CRTD
-#-----------------------------------------------------------------------------
+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
+# -----------------------------------------------------------------------------
# TAG: sslcrtd_program
# Note: This option is only available if Squid is rebuilt with the
-# -DUSE_SSL_CRTD define
+# --enable-ssl-crtd
#
# Specify the location and options of the executable for ssl_crtd process.
# /usr/libexec/ssl_crtd program requires -s and -M parameters
@@ -1617,14 +2366,90 @@ http_port 3128
# TAG: sslcrtd_children
# Note: This option is only available if Squid is rebuilt with the
-# -DUSE_SSL_CRTD define
+# --enable-ssl-crtd
#
# The maximum number of processes spawn to service ssl server.
# The maximum this may be safely set to is 32.
#
+# The startup= and idle= options allow some measure of skew in your
+# tuning.
+#
+# startup=N
+#
+# Sets the minimum number of processes to spawn when Squid
+# starts or reconfigures. When set to zero the first request will
+# cause spawning of the first child process to handle it.
+#
+# Starting too few children temporary slows Squid under load while it
+# tries to spawn enough additional processes to cope with traffic.
+#
+# idle=N
+#
+# Sets a minimum of how many processes Squid is to try and keep available
+# at all times. When traffic begins to rise above what the existing
+# processes can handle this many more will be spawned up to the maximum
+# configured. A minimum setting of 1 is required.
+#
# You must have at least one ssl_crtd process.
#Default:
-# sslcrtd_children 5
+# sslcrtd_children 32 startup=5 idle=1
+
+# TAG: sslcrtvalidator_program
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl
+#
+# Specify the location and options of the executable for ssl_crt_validator
+# process.
+#
+# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
+#
+# Options:
+# ttl=n TTL in seconds for cached results. The default is 60 secs
+# cache=n limit the result cache size. The default value is 2048
+#Default:
+# none
+
+# TAG: sslcrtvalidator_children
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ssl
+#
+# The maximum number of processes spawn to service SSL server.
+# The maximum this may be safely set to is 32.
+#
+# The startup= and idle= options allow some measure of skew in your
+# tuning.
+#
+# startup=N
+#
+# Sets the minimum number of processes to spawn when Squid
+# starts or reconfigures. When set to zero the first request will
+# cause spawning of the first child process to handle it.
+#
+# Starting too few children temporary slows Squid under load while it
+# tries to spawn enough additional processes to cope with traffic.
+#
+# idle=N
+#
+# Sets a minimum of how many processes Squid is to try and keep available
+# at all times. When traffic begins to rise above what the existing
+# processes can handle this many more will be spawned up to the maximum
+# configured. A minimum setting of 1 is required.
+#
+# concurrency=
+#
+# The number of requests each certificate validator helper can handle in
+# parallel. A value of 0 indicates the certficate validator does not
+# support concurrency. Defaults to 1.
+#
+# When this directive is set to a value >= 1 then the protocol
+# used to communicate with the helper is modified to include
+# a request ID in front of the request/response. The request
+# ID from the request must be echoed back with the response
+# to that request.
+#
+# You must have at least one ssl_crt_validator process.
+#Default:
+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
@@ -1686,22 +2511,23 @@ http_port 3128
#
# htcp Send HTCP, instead of ICP, queries to the neighbor.
# You probably also want to set the "icp-port" to 4827
-# instead of 3130.
+# instead of 3130. This directive accepts a comma separated
+# list of options described below.
#
-# htcp-oldsquid Send HTCP to old Squid versions.
+# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
#
-# htcp-no-clr Send HTCP to the neighbor but without
+# htcp=no-clr Send HTCP to the neighbor but without
# sending any CLR requests. This cannot be used with
-# htcp-only-clr.
+# only-clr.
#
-# htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests.
-# This cannot be used with htcp-no-clr.
+# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
+# This cannot be used with no-clr.
#
-# htcp-no-purge-clr
+# htcp=no-purge-clr
# Send HTCP to the neighbor including CLRs but only when
# they do not result from PURGE requests.
#
-# htcp-forward-clr
+# htcp=forward-clr
# Forward any HTCP CLR requests this proxy receives to the peer.
#
#
@@ -1774,6 +2600,14 @@ http_port 3128
# than the Squid default location.
#
#
+# ==== CARP OPTIONS ====
+#
+# carp-key=key-specification
+# use a different key than the full URL to hash against the peer.
+# the key-specification is a comma-separated list of the keywords
+# scheme, host, port, path, params
+# Order is not important.
+#
# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
#
# originserver Causes this parent to be contacted as an origin server.
@@ -1801,20 +2635,23 @@ http_port 3128
# Note: The string can include URL escapes (i.e. %20 for
# spaces). This also means % must be written as %%.
#
-# login=PROXYPASS
+# login=PASSTHRU
# Send login details received from client to this peer.
-# Authentication is not required, nor changed.
+# Both Proxy- and WWW-Authorization headers are passed
+# without alteration to the peer.
+# Authentication is not required by Squid for this to work.
#
# Note: This will pass any form of authentication but
# only Basic auth will work through a proxy unless the
# connection-auth options are also used.
-#
+#
# login=PASS Send login details received from client to this peer.
# Authentication is not required by this option.
+#
# If there are no client-provided authentication headers
# to pass on, but username and password are available
-# from either proxy login or an external ACL user= and
-# password= result tags they may be sent instead.
+# from an external ACL user= and password= result tags
+# they may be sent instead.
#
# Note: To combine this with proxy_auth both proxies must
# share the same user database as HTTP only allows for
@@ -1832,6 +2669,27 @@ http_port 3128
# be used to identify this proxy to the peer, similar to
# the login=username:password option above.
#
+# login=NEGOTIATE
+# If this is a personal/workgroup proxy and your parent
+# requires a secure proxy authentication.
+# The first principal from the default keytab or defined by
+# the environment variable KRB5_KTNAME will be used.
+#
+# WARNING: The connection may transmit requests from multiple
+# clients. Negotiate often assumes end-to-end authentication
+# and a single-client. Which is not strictly true here.
+#
+# login=NEGOTIATE:principal_name
+# If this is a personal/workgroup proxy and your parent
+# requires a secure proxy authentication.
+# The principal principal_name from the default keytab or
+# defined by the environment variable KRB5_KTNAME will be
+# used.
+#
+# WARNING: The connection may transmit requests from multiple
+# clients. Negotiate often assumes end-to-end authentication
+# and a single-client. Which is not strictly true here.
+#
# connection-auth=on|off
# Tell Squid that this peer does or not support Microsoft
# connection oriented authentication, and any such
@@ -1854,22 +2712,35 @@ http_port 3128
# reference a combined file containing both the
# certificate and the key.
#
-# sslversion=1|2|3|4
+# sslversion=1|2|3|4|5|6
# The SSL version to use when connecting to this peer
# 1 = automatic (default)
# 2 = SSL v2 only
# 3 = SSL v3 only
-# 4 = TLS v1 only
+# 4 = TLS v1.0 only
+# 5 = TLS v1.1 only
+# 6 = TLS v1.2 only
#
# sslcipher=... The list of valid SSL ciphers to use when connecting
# to this peer.
#
-# ssloptions=... Specify various SSL engine options:
-# NO_SSLv2 Disallow the use of SSLv2
-# NO_SSLv3 Disallow the use of SSLv3
-# NO_TLSv1 Disallow the use of TLSv1
-# See src/ssl_support.c or the OpenSSL documentation for
-# a more complete list.
+# ssloptions=... Specify various SSL implementation options:
+#
+# NO_SSLv2 Disallow the use of SSLv2
+# NO_SSLv3 Disallow the use of SSLv3
+# NO_TLSv1 Disallow the use of TLSv1.0
+# NO_TLSv1_1 Disallow the use of TLSv1.1
+# NO_TLSv1_2 Disallow the use of TLSv1.2
+# SINGLE_DH_USE
+# Always create a new key when using
+# temporary/ephemeral DH key exchanges
+# ALL Enable various bug workarounds
+# suggested as "harmless" by OpenSSL
+# Be warned that this reduces SSL/TLS
+# strength to some attacks.
+#
+# See the OpenSSL SSL_CTX_set_options documentation for a
+# more complete list.
#
# sslcafile=... A file containing additional CA certificates to use
# when verifying the peer certificate.
@@ -1936,6 +2807,7 @@ http_port 3128
#
# no-tproxy Do not use the client-spoof TPROXY support when forwarding
# requests to this peer. Use normal address selection instead.
+# This overrides the spoof_client_ip ACL.
#
# proxy-only objects fetched from the peer will not be stored locally.
#
@@ -1944,10 +2816,11 @@ http_port 3128
# TAG: cache_peer_domain
# Use to limit the domains for which a neighbor cache will be
-# queried. Usage:
+# queried.
#
-# cache_peer_domain cache-host domain [domain ...]
-# cache_peer_domain cache-host !domain
+# Usage:
+# cache_peer_domain cache-host domain [domain ...]
+# cache_peer_domain cache-host !domain
#
# For example, specifying
#
@@ -1975,7 +2848,8 @@ http_port 3128
# Similar to 'cache_peer_domain' but provides more flexibility by
# using ACL elements.
#
-# cache_peer_access cache-host allow|deny [!]aclname ...
+# Usage:
+# cache_peer_access cache-host allow|deny [!]aclname ...
#
# The syntax is identical to 'http_access' and the other lists of
# ACL elements. See the comments for 'http_access' below, or
@@ -1984,21 +2858,20 @@ http_port 3128
# none
# TAG: neighbor_type_domain
-# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
+# Modify the cache_peer neighbor type when passing requests
+# about specific domains to the peer.
#
-# Modifying the neighbor type for specific domains is now
-# possible. You can treat some domains differently than the the
-# default neighbor type specified on the 'cache_peer' line.
-# Normally it should only be necessary to list domains which
-# should be treated differently because the default neighbor type
-# applies for hostnames which do not match domains listed here.
+# Usage:
+# neighbor_type_domain neighbor parent|sibling domain domain ...
#
-#EXAMPLE:
-# cache_peer cache.foo.org parent 3128 3130
-# neighbor_type_domain cache.foo.org sibling .com .net
-# neighbor_type_domain cache.foo.org sibling .au .de
+# For example:
+# cache_peer foo.example.com parent 3128 3130
+# neighbor_type_domain foo.example.com sibling .au .de
+#
+# The above configuration treats all requests to foo.example.com as a
+# parent proxy unless the request is for a .au or .de ccTLD domain name.
#Default:
-# none
+# The peer type from cache_peer directive is used for all requests to that peer.
# TAG: dead_peer_timeout (seconds)
# This controls how long Squid waits to declare a peer cache
@@ -2021,6 +2894,9 @@ http_port 3128
# TAG: forward_max_tries
# Controls how many different forward paths Squid will try
# before giving up. See also forward_timeout.
+#
+# NOTE: connect_retries (default: none) can make each of these
+# possible forwarding paths be tried multiple times.
#Default:
# forward_max_tries 10
@@ -2070,6 +2946,11 @@ http_port 3128
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
+#
+# If shared memory caching is enabled, Squid does not use the shared
+# cache space for in-transit objects, but they still consume as much
+# local memory as they need. For more details about the shared memory
+# cache, see memory_cache_shared.
#Default:
# cache_mem 256 MB
@@ -2081,11 +2962,47 @@ http_port 3128
#Default:
# maximum_object_size_in_memory 512 KB
+# TAG: memory_cache_shared on|off
+# Controls whether the memory cache is shared among SMP workers.
+#
+# The shared memory cache is meant to occupy cache_mem bytes and replace
+# the non-shared memory cache, although some entities may still be
+# cached locally by workers for now (e.g., internal and in-transit
+# objects may be served from a local memory cache even if shared memory
+# caching is enabled).
+#
+# By default, the memory cache is shared if and only if all of the
+# following conditions are satisfied: Squid runs in SMP mode with
+# multiple workers, cache_mem is positive, and Squid environment
+# supports required IPC primitives (e.g., POSIX shared memory segments
+# and GCC-style atomic operations).
+#
+# To avoid blocking locks, shared memory uses opportunistic algorithms
+# that do not guarantee that every cachable entity that could have been
+# shared among SMP workers will actually be shared.
+#
+# Currently, entities exceeding 32KB in size cannot be shared.
+#Default:
+# "on" where supported if doing memory caching with multiple SMP workers.
+
+# TAG: memory_cache_mode
+# Controls which objects to keep in the memory cache (cache_mem)
+#
+# always Keep most recently fetched objects in memory (default)
+#
+# disk Only disk cache hits are kept in memory, which means
+# an object must first be cached on disk and then hit
+# a second time before cached in memory.
+#
+# network Only objects fetched from network is kept in memory
+#Default:
+# Keep the most recently fetched objects in memory
+
# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
-# See cache_replacement_policy for details.
+# See cache_replacement_policy for details on algorithms.
#Default:
# memory_replacement_policy lru
@@ -2101,7 +3018,7 @@ http_port 3128
# heap LFUDA: Least Frequently Used with Dynamic Aging
# heap LRU : LRU policy implemented using a heap
#
-# Applies to any cache_dir lines listed below this.
+# Applies to any cache_dir lines listed below this directive.
#
# The LRU policies keeps recently referenced objects.
#
@@ -2120,7 +3037,7 @@ http_port 3128
# replacement policies.
#
# NOTE: if using the LFUDA replacement policy you should increase
-# the value of maximum_object_size above its default of 4096 KB to
+# the value of maximum_object_size above its default of 4 MB to
# to maximize the potential byte hit rate improvement of LFUDA.
#
# For more information about the GDSF and LFUDA cache replacement
@@ -2129,10 +3046,33 @@ http_port 3128
#Default:
# cache_replacement_policy lru
+# TAG: minimum_object_size (bytes)
+# Objects smaller than this size will NOT be saved on disk. The
+# value is specified in bytes, and the default is 0 KB, which
+# means all responses can be stored.
+#Default:
+# no limit
+
+# TAG: maximum_object_size (bytes)
+# Set the default value for max-size parameter on any cache_dir.
+# The value is specified in bytes, and the default is 4 MB.
+#
+# If you wish to get a high BYTES hit ratio, you should probably
+# increase this (one 32 MB object hit counts for 3200 10KB
+# hits).
+#
+# If you wish to increase hit ratio more than you want to
+# save bandwidth you should leave this low.
+#
+# NOTE: if using the LFUDA replacement policy you should increase
+# this value to maximize the byte hit rate improvement of LFUDA!
+# See cache_replacement_policy for a discussion of this policy.
+#Default:
+# maximum_object_size 4 MB
+
# TAG: cache_dir
-# Usage:
-#
-# cache_dir Type Directory-Name Fs-specific-data [options]
+# Format:
+# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
@@ -2147,12 +3087,18 @@ http_port 3128
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
#
-# The ufs store type:
+# In SMP configurations, cache_dir must not precede the workers option
+# and should use configuration macros or conditionals to give each
+# worker interested in disk caching a dedicated cache directory.
+#
+#
+# ==== The ufs store type ====
#
# "ufs" is the old well-known Squid storage format that has always
# been there.
#
-# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
+# Usage:
+# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
@@ -2167,23 +3113,27 @@ http_port 3128
# will be created under each first-level directory. The default
# is 256.
#
-# The aufs store type:
+#
+# ==== The aufs store type ====
#
# "aufs" uses the same storage format as "ufs", utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
-# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
+# Usage:
+# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
-# The diskd store type:
+#
+# ==== The diskd store type ====
#
# "diskd" uses the same storage format as "ufs", utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
-# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
+# Usage:
+# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
@@ -2201,7 +3151,49 @@ http_port 3128
# higher hit ratio at the expense of an increase in response
# time.
#
-# The coss store type:
+#
+# ==== The rock store type ====
+#
+# Usage:
+# cache_dir rock Directory-Name Mbytes <max-size=bytes> [options]
+#
+# The Rock Store type is a database-style storage. All cached
+# entries are stored in a "database" file, using fixed-size slots,
+# one entry per slot. The database size is specified in MB. The
+# slot size is specified in bytes using the max-size option. See
+# below for more info on the max-size option.
+#
+# If possible, Squid using Rock Store creates a dedicated kid
+# process called "disker" to avoid blocking Squid worker(s) on disk
+# I/O. One disker kid is created for each rock cache_dir. Diskers
+# are created only when Squid, running in daemon mode, has support
+# for the IpcIo disk I/O module.
+#
+# swap-timeout=msec: Squid will not start writing a miss to or
+# reading a hit from disk if it estimates that the swap operation
+# will take more than the specified number of milliseconds. By
+# default and when set to zero, disables the disk I/O time limit
+# enforcement. Ignored when using blocking I/O module because
+# blocking synchronous I/O does not allow Squid to estimate the
+# expected swap wait time.
+#
+# max-swap-rate=swaps/sec: Artificially limits disk access using
+# the specified I/O rate limit. Swap out requests that
+# would cause the average I/O rate to exceed the limit are
+# delayed. Individual swap in requests (i.e., hits or reads) are
+# not delayed, but they do contribute to measured swap rate and
+# since they are placed in the same FIFO queue as swap out
+# requests, they may wait longer if max-swap-rate is smaller.
+# This is necessary on file systems that buffer "too
+# many" writes and then start blocking Squid and other processes
+# while committing those writes to disk. Usually used together
+# with swap-timeout to avoid excessive delays and queue overflows
+# when disk demand exceeds available disk "bandwidth". By default
+# and when set to zero, disables the disk I/O rate limit
+# enforcement. Currently supported by IpcIo module only.
+#
+#
+# ==== The coss store type ====
#
# NP: COSS filesystem in Squid-3 has been deemed too unstable for
# production use and has thus been removed from this release.
@@ -2219,26 +3211,80 @@ http_port 3128
# called 'stripe' in the directory names in the config - and
# this will be created by squid -z.
#
-# Common options:
#
-# no-store, no new objects should be stored to this cache_dir
+# ==== COMMON OPTIONS ====
+#
+# no-store no new objects should be stored to this cache_dir.
+#
+# min-size=n the minimum object size in bytes this cache_dir
+# will accept. It's used to restrict a cache_dir
+# to only store large objects (e.g. AUFS) while
+# other stores are optimized for smaller objects
+# (e.g. COSS).
+# Defaults to 0.
+#
+# max-size=n the maximum object size in bytes this cache_dir
+# supports.
+# The value in maximum_object_size directive sets
+# the default unless more specific details are
+# available (ie a small store capacity).
#
-# max-size=n, refers to the max object size in bytes this cache_dir
-# supports. It is used to select the cache_dir to store the object.
# Note: To make optimal use of the max-size limits you should order
-# the cache_dir lines with the smallest max-size value first and the
-# ones with no max-size specification last.
+# the cache_dir lines with the smallest max-size value first.
#
# Note for coss, max-size must be less than COSS_MEMBUF_SZ,
# which can be changed with the --with-coss-membuf-size=N configure
# option.
#
+#Default:
+# No disk cache. Store cache ojects only in memory.
+#
# Uncomment and adjust the following to add a disk cache directory.
-#cache_dir ufs /var/log/squid/cache 100 16 256
+#cache_dir ufs /var/log/squid/cache/squid 100 16 256
# TAG: store_dir_select_algorithm
-# Set this to 'round-robin' as an alternative.
+# How Squid selects which cache_dir to use when the response
+# object will fit into more than one.
+#
+# Regardless of which algorithm is used the cache_dir min-size
+# and max-size parameters are obeyed. As such they can affect
+# the selection algorithm by limiting the set of considered
+# cache_dir.
+#
+# Algorithms:
+#
+# least-load
+#
+# This algorithm is suited to caches with similar cache_dir
+# sizes and disk speeds.
+#
+# The disk with the least I/O pending is selected.
+# When there are multiple disks with the same I/O load ranking
+# the cache_dir with most available capacity is selected.
+#
+# When a mix of cache_dir sizes are configured the faster disks
+# have a naturally lower I/O loading and larger disks have more
+# capacity. So space used to store objects and data throughput
+# may be very unbalanced towards larger disks.
+#
+#
+# round-robin
+#
+# This algorithm is suited to caches with unequal cache_dir
+# disk sizes.
+#
+# Each cache_dir is selected in a rotation. The next suitable
+# cache_dir is used.
+#
+# Available cache_dir capacity is only considered in relation
+# to whether the object will fit and meets the min-size and
+# max-size parameters.
+#
+# Disk I/O loading is only considered to prevent overload on slow
+# disks. This algorithm does not spread objects by size, so any
+# I/O loading per-disk may appear very unbalanced and volatile.
+#
#Default:
# store_dir_select_algorithm least-load
@@ -2249,36 +3295,26 @@ http_port 3128
#
# A value of 0 indicates no limit.
#Default:
-# max_open_disk_fds 0
-
-# TAG: minimum_object_size (bytes)
-# Objects smaller than this size will NOT be saved on disk. The
-# value is specified in kilobytes, and the default is 0 KB, which
-# means there is no minimum.
-#Default:
-# minimum_object_size 0 KB
-
-# TAG: maximum_object_size (bytes)
-# Objects larger than this size will NOT be saved on disk. The
-# value is specified in kilobytes, and the default is 4MB. If
-# you wish to get a high BYTES hit ratio, you should probably
-# increase this (one 32 MB object hit counts for 3200 10KB
-# hits). If you wish to increase speed more than your want to
-# save bandwidth you should leave this low.
-#
-# NOTE: if using the LFUDA replacement policy you should increase
-# this value to maximize the byte hit rate improvement of LFUDA!
-# See replacement_policy below for a discussion of this policy.
-#Default:
-# maximum_object_size 4096 KB
+# no limit
# TAG: cache_swap_low (percent, 0-100)
+# The low-water mark for cache object replacement.
+# Replacement begins when the swap (disk) usage is above the
+# low-water mark and attempts to maintain utilization near the
+# low-water mark. As swap utilization gets close to high-water
+# mark object eviction becomes more aggressive. If utilization is
+# close to the low-water mark less replacement is done each time.
+#
+# Defaults are 90% and 95%. If you have a large cache, 5% could be
+# hundreds of MB. If this is the case you may wish to set these
+# numbers closer together.
+#
+# See also cache_swap_high
#Default:
# cache_swap_low 90
# TAG: cache_swap_high (percent, 0-100)
-#
-# The low- and high-water marks for cache object replacement.
+# The high-water mark for cache object replacement.
# Replacement begins when the swap (disk) usage is above the
# low-water mark and attempts to maintain utilization near the
# low-water mark. As swap utilization gets close to high-water
@@ -2288,6 +3324,8 @@ http_port 3128
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
+#
+# See also cache_swap_low
#Default:
# cache_swap_high 95
@@ -2317,21 +3355,62 @@ http_port 3128
# ' output as-is
#
# - left aligned
-# width field width. If starting with 0 the
-# output is zero padded
+#
+# width minimum and/or maximum field width:
+# [width_min][.width_max]
+# When minimum starts with 0, the field is zero-padded.
+# String values exceeding maximum width are truncated.
+#
# {arg} argument such as header name etc
#
# Format codes:
#
# % a literal % character
+# sn Unique sequence number per log line entry
+# err_code The ID of an error response served by Squid or
+# a similar internal error identifier.
+# err_detail Additional err_code-dependent error information.
+# note The annotation specified by the argument. Also
+# logs the adaptation meta headers set by the
+# adaptation_meta configuration parameter.
+# If no argument given all annotations logged.
+# The argument may include a separator to use with
+# annotation values:
+# name[:separator]
+# By default, multiple note values are separated with ","
+# and multiple notes are separated with "\r\n".
+# When logging named notes with %{name}note, the
+# explicitly configured separator is used between note
+# values. When logging all notes with %note, the
+# explicitly configured separator is used between
+# individual notes. There is currently no way to
+# specify both value and notes separators when logging
+# all notes with %note.
+#
+# Connection related format codes:
+#
# >a Client source IP address
# >A Client FQDN
# >p Client source port
-# <A Server IP address or peer name
-# la Local IP address (http_port)
-# lp Local port number (http_port)
+# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
+# >la Local IP address the client connected to
+# >lp Local port number the client connected to
+# >qos Client connection TOS/DSCP value set by Squid
+# >nfmark Client connection netfilter mark set by Squid
+#
+# la Local listening IP address the client connection was connected to.
+# lp Local listening port number the client connection was connected to.
+#
+# <a Server IP address of the last server or peer connection
+# <A Server FQDN or peer name
+# <p Server port number of the last server or peer connection
# <la Local IP address of the last server or peer connection
# <lp Local port number of the last server or peer connection
+# <qos Server connection TOS/DSCP value set by Squid
+# <nfmark Server connection netfilter mark set by Squid
+#
+# Time related format codes:
+#
# ts Seconds since epoch
# tu subsecond time (milliseconds)
# tl Local time. Optional strftime format argument
@@ -2341,30 +3420,50 @@ http_port 3128
# tr Response time (milliseconds)
# dt Total time spent making DNS lookups (milliseconds)
#
-# HTTP cache related format codes:
-#
-# [http::]>h Original request header. Optional header name argument
-# on the format header[:[separator]element]
-# [http::]>ha The HTTP request headers after adaptation and redirection.
+# Access Control related format codes:
+#
+# et Tag returned by external acl
+# ea Log string returned by external acl
+# un User name (any available)
+# ul User name from authentication
+# ue User name from external acl helper
+# ui User name from ident
+# us User name from SSL
+#
+# HTTP related format codes:
+#
+# [http::]>h Original received request header.
+# Usually differs from the request header sent by
+# Squid, although most fields are often preserved.
+# Accepts optional header field name/value filter
+# argument using name[:[separator]element] format.
+# [http::]>ha Received request header after adaptation and
+# redirection (pre-cache REQMOD vectoring point).
+# Usually differs from the request header sent by
+# Squid, although most fields are often preserved.
# Optional header name argument as for >h
# [http::]<h Reply header. Optional header name argument
# as for >h
-# [http::]un User name
-# [http::]ul User name from authentication
-# [http::]ui User name from ident
-# [http::]us User name from SSL
-# [http::]ue User name from external acl helper
# [http::]>Hs HTTP status code sent to the client
# [http::]<Hs HTTP status code received from the next hop
-# [http::]Ss Squid request status (TCP_MISS etc)
-# [http::]Sh Squid hierarchy status (DEFAULT_PARENT etc)
+# [http::]<bs Number of HTTP-equivalent message body bytes
+# received from the next hop, excluding chunked
+# transfer encoding and control messages.
+# Generated FTP/Gopher listings are treated as
+# received bodies.
# [http::]mt MIME content type
# [http::]rm Request method (GET/POST etc)
-# [http::]ru Request URL
+# [http::]>rm Request method from client
+# [http::]<rm Request method sent to server or peer
+# [http::]ru Request URL from client (historic, filtered for logging)
+# [http::]>ru Request URL from client
+# [http::]<ru Request URL sent to server or peer
# [http::]rp Request URL-Path excluding hostname
+# [http::]>rp Request URL-Path excluding hostname from client
+# [http::]<rp Request URL-Path excluding hostname sento to server or peer
# [http::]rv Request protocol version
-# [http::]et Tag returned by external acl
-# [http::]ea Log string returned by external acl
+# [http::]>rv Request protocol version from client
+# [http::]<rv Request protocol version sent to server or peer
# [http::]<st Sent reply size including HTTP headers
# [http::]>st Received request size including HTTP headers. In the
# case of chunked requests the chunked encoding metadata
@@ -2382,7 +3481,30 @@ http_port 3128
# sent to the first selected peer. The timer stops
# with the last I/O with the last peer.
#
-# If ICAP is enabled, the following two codes become available (as
+# Squid handling related format codes:
+#
+# Ss Squid request status (TCP_MISS etc)
+# Sh Squid hierarchy status (DEFAULT_PARENT etc)
+#
+# SSL-related format codes:
+#
+# ssl::bump_mode SslBump decision for the transaction:
+#
+# For CONNECT requests that initiated bumping of
+# a connection and for any request received on
+# an already bumped connection, Squid logs the
+# corresponding SslBump mode ("server-first" or
+# "client-first"). See the ssl_bump option for
+# more information about these modes.
+#
+# A "none" token is logged for requests that
+# triggered "ssl_bump" ACL evaluation matching
+# either a "none" rule or no rules at all.
+#
+# In all other cases, a single dash ("-") is
+# logged.
+#
+# If ICAP is enabled, the following code becomes available (as
# well as ICAP log codes documented with the icap_log option):
#
# icap::tt Total ICAP processing time for the HTTP
@@ -2390,14 +3512,13 @@ http_port 3128
# ACLs are checked and when ICAP
# transaction is in progress.
#
-# icap::<last_h The header of the last ICAP response
-# related to the HTTP transaction. Like
-# <h, accepts an optional header name
-# argument. Will not change semantics
-# when multiple ICAP transactions per HTTP
-# transaction are supported.
+# If adaptation is enabled the following three codes become available:
#
-# If adaptation is enabled the following two codes become available:
+# adapt::<last_h The header of the last ICAP response or
+# meta-information from the last eCAP
+# transaction related to the HTTP transaction.
+# Like <h, accepts an optional header name
+# argument.
#
# adapt::sum_trs Summed adaptation transaction response
# times recorded as a comma-separated list in
@@ -2421,47 +3542,122 @@ http_port 3128
# service name in curly braces to record response time(s) specific
# to that service. For example: %{my_service}adapt::sum_trs
#
+# If SSL is enabled, the following formating codes become available:
+#
+# %ssl::>cert_subject The Subject field of the received client
+# SSL certificate or a dash ('-') if Squid has
+# received an invalid/malformed certificate or
+# no certificate at all. Consider encoding the
+# logged value because Subject often has spaces.
+#
+# %ssl::>cert_issuer The Issuer field of the received client
+# SSL certificate or a dash ('-') if Squid has
+# received an invalid/malformed certificate or
+# no certificate at all. Consider encoding the
+# logged value because Issuer often has spaces.
+#
# The default formats available (which do not need re-defining) are:
#
-#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
-#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
-#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
-#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+#logformat referrer %ts.%03tu %>a %{Referer}>h %ru
+#logformat useragent %>a [%tl] "%{User-Agent}>h"
+#
+# NOTE: When the log_mime_hdrs directive is set to ON.
+# The squid, common and combined formats have a safely encoded copy
+# of the mime headers appended to each line within a pair of brackets.
+#
+# NOTE: The common and combined formats are not quite true to the Apache definition.
+# The logs from Squid contain an extra status and hierarchy code appended.
+#
#Default:
-# none
+# The format definitions squid, common, combined, referrer, useragent are built in.
# TAG: access_log
-# These files log client request activities. Has a line every HTTP or
-# ICP request. The format is:
-# access_log <filepath> [<logformat name> [acl acl ...]]
-# access_log none [acl acl ...]]
+# Configures whether and how Squid logs HTTP and ICP transactions.
+# If access logging is enabled, a single line is logged for every
+# matching HTTP or ICP request. The recommended directive formats are:
#
-# Will log to the specified file using the specified format (which
-# must be defined in a logformat directive) those entries which match
-# ALL the acl's specified (which must be defined in acl clauses).
+# access_log <module>:<place> [option ...] [acl acl ...]
+# access_log none [acl acl ...]
#
-# If no acl is specified, all requests will be logged to this file.
+# The following directive format is accepted but may be deprecated:
+# access_log <module>:<place> [<logformat name> [acl acl ...]]
#
-# To disable logging of a request use the filepath "none", in which case
-# a logformat name should not be specified.
+# In most cases, the first ACL name must not contain the '=' character
+# and should not be equal to an existing logformat name. You can always
+# start with an 'all' ACL to work around those restrictions.
+#
+# Will log to the specified module:place using the specified format (which
+# must be defined in a logformat directive) those entries which match
+# ALL the acl's specified (which must be defined in acl clauses).
+# If no acl is specified, all requests will be logged to this destination.
+#
+# ===== Available options for the recommended directive format =====
+#
+# logformat=name Names log line format (either built-in or
+# defined by a logformat directive). Defaults
+# to 'squid'.
+#
+# buffer-size=64KB Defines approximate buffering limit for log
+# records (see buffered_logs). Squid should not
+# keep more than the specified size and, hence,
+# should flush records before the buffer becomes
+# full to avoid overflows under normal
+# conditions (the exact flushing algorithm is
+# module-dependent though). The on-error option
+# controls overflow handling.
+#
+# on-error=die|drop Defines action on unrecoverable errors. The
+# 'drop' action ignores (i.e., does not log)
+# affected log records. The default 'die' action
+# kills the affected worker. The drop action
+# support has not been tested for modules other
+# than tcp.
+#
+# ===== Modules Currently available =====
+#
+# none Do not log any requests matching these ACL.
+# Do not specify Place or logformat name.
+#
+# stdio Write each log line to disk immediately at the completion of
+# each request.
+# Place: the filename and path to be written.
+#
+# daemon Very similar to stdio. But instead of writing to disk the log
+# line is passed to a daemon helper for asychronous handling instead.
+# Place: varies depending on the daemon.
+#
+# log_file_daemon Place: the file name and path to be written.
+#
+# syslog To log each request via syslog facility.
+# Place: The syslog facility and priority level for these entries.
+# Place Format: facility.priority
#
-# To log the request via syslog specify a filepath of "syslog":
+# where facility could be any of:
+# authpriv, daemon, local0 ... local7 or user.
#
-# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
-# where facility could be any of:
-# authpriv, daemon, local0 .. local7 or user.
+# And priority could be any of:
+# err, warning, notice, info, debug.
+#
+# udp To send each log line as text data to a UDP receiver.
+# Place: The destination host name or IP and port.
+# Place Format: //host:port
#
-# And priority could be any of:
-# err, warning, notice, info, debug.
+# tcp To send each log line as text data to a TCP receiver.
+# Lines may be accumulated before sending (see buffered_logs).
+# Place: The destination host name or IP and port.
+# Place Format: //host:port
#
# Default:
-# access_log /var/log/squid/access.log squid
+# access_log daemon:/var/log/squid/access.log squid
#Default:
-# access_log /var/log/squid/access.log squid
+# access_log daemon:/var/log/squid/access.log squid
# TAG: icap_log
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# ICAP log files record ICAP transaction summaries, one line per
# transaction.
@@ -2506,6 +3702,13 @@ http_port 3128
# payload only; i.e., what Squid reads from
# the socket).
#
+# icap::<bs Number of message body bytes received from the
+# ICAP server. ICAP message body, if any, usually
+# includes encapsulated HTTP message headers and
+# possibly encapsulated HTTP message body. The
+# HTTP body part is dechunked before its size is
+# computed.
+#
# icap::tr Transaction response time (in
# milliseconds). The timer starts when
# the ICAP transaction is created and
@@ -2536,38 +3739,59 @@ http_port 3128
#
#logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
#
-# See also: logformat, log_icap, and %icap::<last_h
+# See also: logformat, log_icap, and %adapt::<last_h
#Default:
# none
-# TAG: log_access allow|deny acl acl...
-# This options allows you to control which requests gets logged
-# to access.log (see access_log directive). Requests denied for
-# logging will also not be accounted for in performance counters.
+# TAG: logfile_daemon
+# Specify the path to the logfile-writing daemon. This daemon is
+# used to write the access and store logs, if configured.
#
-# This clause only supports fast acl types.
-# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+# Squid sends a number of commands to the log daemon:
+# L<data>\n - logfile data
+# R\n - rotate file
+# T\n - truncate file
+# O\n - reopen file
+# F\n - flush file
+# r<n>\n - set rotate count to <n>
+# b<n>\n - 1 = buffer output, 0 = don't buffer output
+#
+# No responses is expected.
+#Default:
+# logfile_daemon /usr/libexec/log_file_daemon
+
+# TAG: log_access
+# Remove this line. Use acls with access_log directives to control access logging
#Default:
# none
# TAG: log_icap
-# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
-#
-# This options allows you to control which requests get logged
-# to icap.log. See the icap_log directive for ICAP log details.
+# Remove this line. Use acls with icap_log directives to control icap logging
#Default:
# none
+# TAG: stats_collection allow|deny acl acl...
+# This options allows you to control which requests gets accounted
+# in performance counters.
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow logging for all transactions.
+
# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
-# saved and for how long. To disable, enter "none" or remove the line.
+# saved and for how long.
# There are not really utilities to analyze this data, so you can safely
-# disable it.
-#
+# disable it (the default).
+#
+# Store log uses modular logging outputs. See access_log for the list
+# of modules supported.
+#
# Example:
-# cache_store_log /var/log/squid/store.log
+# cache_store_log stdio:/var/log/squid/store.log
+# cache_store_log daemon:/var/log/squid/store.log
#Default:
# none
@@ -2600,7 +3824,7 @@ http_port 3128
# them). We recommend you do NOT use this option. It is
# better to keep these index files in each 'cache_dir' directory.
#Default:
-# none
+# Store the journal inside its cache_dir
# TAG: logfile_rotate
# Specifies the number of logfile rotations to make when you
@@ -2617,31 +3841,26 @@ http_port 3128
# in the habit of using 'squid -k rotate' instead of 'kill -USR1
# <pid>'.
#
-# Note, from Squid-3.1 this option has no effect on the cache.log,
-# that log can be rotated separately by using debug_options
+# Note, from Squid-3.1 this option is only a default for cache.log,
+# that log can be rotated separately by using debug_options.
#Default:
# logfile_rotate 10
-# TAG: emulate_httpd_log on|off
-# The Cache can emulate the log file format which many 'httpd'
-# programs use. To disable/enable this emulation, set
-# emulate_httpd_log to 'off' or 'on'. The default
-# is to use the native log format since it includes useful
-# information Squid-specific log analyzers use.
+# TAG: emulate_httpd_log
+# Replace this with an access_log directive using the format 'common' or 'combined'.
#Default:
-# emulate_httpd_log off
+# none
-# TAG: log_ip_on_direct on|off
-# Log the destination IP address in the hierarchy log tag when going
-# direct. Earlier Squid versions logged the hostname here. If you
-# prefer the old way set this to off.
+# TAG: log_ip_on_direct
+# Remove this option from your config. To log server or peer names use %<A in the log format.
#Default:
-# log_ip_on_direct on
+# none
# TAG: mime_table
-# Pathname to Squid's MIME table. You shouldn't need to change
-# this, but the default file contains examples and formatting
-# information if you do.
+# Path to Squid's icon configuration file.
+#
+# You shouldn't need to change this, but the default file contains
+# examples and formatting information if you do.
#Default:
# mime_table /etc/squid/mime.conf
@@ -2655,24 +3874,12 @@ http_port 3128
# log_mime_hdrs off
# TAG: useragent_log
-# Note: This option is only available if Squid is rebuilt with the
-# --enable-useragent-log option
-#
-# Squid will write the User-Agent field from HTTP requests
-# to the filename specified here. By default useragent_log
-# is disabled.
+# Replace this with an access_log directive using the format 'useragent'.
#Default:
# none
# TAG: referer_log
-# Note: This option is only available if Squid is rebuilt with the
-# --enable-referer-log option
-#
-# Squid will write the Referer field from HTTP requests to the
-# filename specified here. By default referer_log is disabled.
-# Note that "referer" is actually a misspelling of "referrer"
-# however the misspelt version has been accepted into the HTTP RFCs
-# and we accept both.
+# Replace this with an access_log directive using the format 'referrer'.
#Default:
# none
@@ -2681,14 +3888,10 @@ http_port 3128
#Default:
# pid_filename /var/run/squid
-# TAG: log_fqdn on|off
-# Turn this on if you wish to log fully qualified domain names
-# in the access.log. To do this Squid does a DNS lookup of all
-# IP's connecting to it. This can (in some situations) increase
-# latency, which makes your cache seem slower for interactive
-# browsing.
+# TAG: log_fqdn
+# Remove this option from your config. To log FQDN use %>A in the log format.
#Default:
-# log_fqdn off
+# none
# TAG: client_netmask
# A netmask for client addresses in logfiles and cachemgr output.
@@ -2696,49 +3899,58 @@ http_port 3128
# A netmask of 255.255.255.0 will log all IP's in that range with
# the last digit set to '0'.
#Default:
-# client_netmask no_addr
+# Log full client IP address
# TAG: forward_log
-# Note: This option is only available if Squid is rebuilt with the
-# -DWIP_FWD_LOG define
-#
-# Logs the server-side requests.
-#
-# This is currently work in progress.
+# Use a regular access.log with ACL limiting it to MISS events.
#Default:
# none
# TAG: strip_query_terms
# By default, Squid strips query terms from requested URLs before
-# logging. This protects your user's privacy.
+# logging. This protects your user's privacy and reduces log size.
+#
+# When investigating HIT/MISS or other caching behaviour you
+# will need to disable this to see the full URL used by Squid.
#Default:
# strip_query_terms on
# TAG: buffered_logs on|off
-# cache.log log file is written with stdio functions, and as such
-# it can be buffered or unbuffered. By default it will be unbuffered.
-# Buffering it can speed up the writing slightly (though you are
-# unlikely to need to worry unless you run with tons of debugging
-# enabled in which case performance will suffer badly anyway..).
+# Whether to write/send access_log records ASAP or accumulate them and
+# then write/send them in larger chunks. Buffering may improve
+# performance because it decreases the number of I/Os. However,
+# buffering increases the delay before log records become available to
+# the final recipient (e.g., a disk file or logging daemon) and,
+# hence, increases the risk of log records loss.
+#
+# Note that even when buffered_logs are off, Squid may have to buffer
+# records if it cannot write/send them immediately due to pending I/Os
+# (e.g., the I/O writing the previous log record) or connectivity loss.
+#
+# Currently honored by 'daemon' and 'tcp' access_log modules only.
#Default:
# buffered_logs off
# TAG: netdb_filename
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icmp option
+# --enable-icmp
+#
+# Where Squid stores it's netdb journal.
+# When enabled this journal preserves netdb state between restarts.
#
-# A filename where Squid stores it's netdb state between restarts.
# To disable, enter "none".
#Default:
-# netdb_filename /var/log/squid/netdb.state
+# netdb_filename stdio:/var/log/squid/netdb.state
# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
# TAG: cache_log
-# Cache logging file. This is where general information about
-# your cache's behavior goes. You can increase the amount of data
-# logged to this file and how often its rotated with "debug_options"
+# Squid administrative logging file.
+#
+# This is where general information about Squid behavior goes. You can
+# increase the amount of data logged to this file and how often it is
+# rotated with "debug_options"
#Default:
# cache_log /var/log/squid/cache.log
@@ -2749,14 +3961,14 @@ http_port 3128
# log file, so be careful.
#
# The magic word "ALL" sets debugging levels for all sections.
-# We recommend normally running with "ALL,1".
+# The default is to run with "ALL,1" to record important warnings.
#
# The rotate=N option can be used to keep more or less of these logs
# than would otherwise be kept by logfile_rotate.
# For most uses a single log should be enough to monitor current
# events affecting Squid.
#Default:
-# debug_options ALL,1
+# Log all critical and important messages.
# TAG: coredump_dir
# By default Squid leaves core files in the directory from where
@@ -2765,35 +3977,28 @@ http_port 3128
# and coredump files will be left there.
#
#Default:
-# coredump_dir none
+# Use the directory from where Squid was started.
#
# Leave coredumps in the first cache dir
-coredump_dir /var/log/squid/cache
+coredump_dir /var/log/squid/cache/squid
# OPTIONS FOR FTP GATEWAYING
# -----------------------------------------------------------------------------
# TAG: ftp_user
# If you want the anonymous login password to be more informative
-# (and enable the use of picky ftp servers), set this to something
+# (and enable the use of picky FTP servers), set this to something
# reasonable for your domain, like wwwuser@somewhere.net
#
# The reason why this is domainless by default is the
# request can be made on the behalf of a user in any domain,
# depending on how the cache is used.
-# Some ftp server also validate the email address is valid
+# Some FTP server also validate the email address is valid
# (for example perl.com).
#Default:
# ftp_user Squid@
-# TAG: ftp_list_width
-# Sets the width of ftp listings. This should be set to fit in
-# the width of a standard browser. Setting this too small
-# can cut off long filenames when browsing ftp sites.
-#Default:
-# ftp_list_width 32
-
# TAG: ftp_passive
# If your firewall does not allow Squid to use passive
# connections, turn off this option.
@@ -2897,7 +4102,7 @@ coredump_dir /var/log/squid/cache
# TAG: pinger_program
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icmp option
+# --enable-icmp
#
# Specify the location of the executable for the pinger process.
#Default:
@@ -2905,13 +4110,13 @@ coredump_dir /var/log/squid/cache
# TAG: pinger_enable
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icmp option
+# --enable-icmp
#
# Control whether the pinger is active at run-time.
# Enables turning ICMP pinger on and off with a simple
# squid -k reconfigure.
#Default:
-# pinger_enable off
+# pinger_enable on
# OPTIONS FOR URL REWRITING
# -----------------------------------------------------------------------------
@@ -2922,68 +4127,132 @@ coredump_dir /var/log/squid/cache
#
# For each requested URL, the rewriter will receive on line with the format
#
-# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
+# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
#
-# In the future, the rewriter interface will be extended with
-# key=value pairs ("kvpairs" shown above). Rewriter programs
+#
+# After processing the request the helper must reply using the following format:
+#
+# [channel-ID <SP>] result [<SP> kv-pairs]
+#
+# The result code can be:
+#
+# OK status=30N url="..."
+# Redirect the URL to the one supplied in 'url='.
+# 'status=' is optional and contains the status code to send
+# the client in Squids HTTP response. It must be one of the
+# HTTP redirect status codes: 301, 302, 303, 307, 308.
+# When no status is given Squid will use 302.
+#
+# OK rewrite-url="..."
+# Rewrite the URL to the one supplied in 'rewrite-url='.
+# The new URL is fetched directly by Squid and returned to
+# the client as the response to its request.
+#
+# OK
+# When neither of url= and rewrite-url= are sent Squid does
+# not change the URL.
+#
+# ERR
+# Do not change the URL.
+#
+# BH
+# An internal error occurred in the helper, preventing
+# a result being identified. The 'message=' key name is
+# reserved for delivering a log message.
+#
+#
+# In the future, the interface protocol will be extended with
+# key=value pairs ("kv-pairs" shown above). Helper programs
# should be prepared to receive and possibly ignore additional
# whitespace-separated tokens on each input line.
#
-# And the rewriter may return a rewritten URL. The other components of
-# the request line does not need to be returned (ignored if they are).
+# When using the concurrency= option the protocol is changed by
+# introducing a query channel tag in front of the request/response.
+# The query channel tag is a number between 0 and concurrency-1.
+# This value must be echoed back unchanged to Squid as the first part
+# of the response relating to its request.
+#
+# WARNING: URL re-writing ability should be avoided whenever possible.
+# Use the URL redirect form of response instead.
#
-# The rewriter can also indicate that a client-side redirect should
-# be performed to the new URL. This is done by prefixing the returned
-# URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
+# Re-write creates a difference in the state held by the client
+# and server. Possibly causing confusion when the server response
+# contains snippets of its view state. Embeded URLs, response
+# and content Location headers, etc. are not re-written by this
+# interface.
#
# By default, a URL rewriter is not used.
#Default:
# none
# TAG: url_rewrite_children
-# The number of redirector processes to spawn. If you start
-# too few Squid will have to wait for them to process a backlog of
-# URLs, slowing it down. If you start too many they will use RAM
-# and other system resources.
-#Default:
-# url_rewrite_children 5
-
-# TAG: url_rewrite_concurrency
+# The maximum number of redirector processes to spawn. If you limit
+# it too few Squid will have to wait for them to process a backlog of
+# URLs, slowing it down. If you allow too many they will use RAM
+# and other system resources noticably.
+#
+# The startup= and idle= options allow some measure of skew in your
+# tuning.
+#
+# startup=
+#
+# Sets a minimum of how many processes are to be spawned when Squid
+# starts or reconfigures. When set to zero the first request will
+# cause spawning of the first child process to handle it.
+#
+# Starting too few will cause an initial slowdown in traffic as Squid
+# attempts to simultaneously spawn enough processes to cope.
+#
+# idle=
+#
+# Sets a minimum of how many processes Squid is to try and keep available
+# at all times. When traffic begins to rise above what the existing
+# processes can handle this many more will be spawned up to the maximum
+# configured. A minimum setting of 1 is required.
+#
+# concurrency=
+#
# The number of requests each redirector helper can handle in
# parallel. Defaults to 0 which indicates the redirector
# is a old-style single threaded redirector.
#
# When this directive is set to a value >= 1 then the protocol
# used to communicate with the helper is modified to include
-# a request ID in front of the request/response. The request
-# ID from the request must be echoed back with the response
-# to that request.
+# an ID in front of the request/response. The ID from the request
+# must be echoed back with the response to that request.
#Default:
-# url_rewrite_concurrency 0
+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
# TAG: url_rewrite_host_header
-# By default Squid rewrites any Host: header in redirected
-# requests. If you are running an accelerator this may
-# not be a wanted effect of a redirector.
-#
+# To preserve same-origin security policies in browsers and
+# prevent Host: header forgery by redirectors Squid rewrites
+# any Host: header in redirected requests.
+#
+# If you are running an accelerator this may not be a wanted
+# effect of a redirector. This directive enables you disable
+# Host: alteration in reverse-proxy traffic.
+#
# WARNING: Entries are cached on the result of the URL rewriting
# process, so be careful if you have domain-virtual hosts.
+#
+# WARNING: Squid and other software verifies the URL and Host
+# are matching, so be careful not to relay through other proxies
+# or inspecting firewalls with this disabled.
#Default:
# url_rewrite_host_header on
# TAG: url_rewrite_access
# If defined, this access list specifies which requests are
-# sent to the redirector processes. By default all requests
-# are sent.
+# sent to the redirector processes.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# none
+# Allow, unless rules exist in squid.conf.
# TAG: url_rewrite_bypass
# When this is 'on', a request will not go through the
-# redirector if all redirectors are busy. If this is 'off'
+# redirector if all the helpers are busy. If this is 'off'
# and the redirector queue grows too large, Squid will exit
# with a FATAL error and ask you to increase the number of
# redirectors. You should only enable this if the redirectors
@@ -2994,6 +4263,114 @@ coredump_dir /var/log/squid/cache
#Default:
# url_rewrite_bypass off
+# OPTIONS FOR STORE ID
+# -----------------------------------------------------------------------------
+
+# TAG: store_id_program
+# Specify the location of the executable StoreID helper to use.
+# Since they can perform almost any function there isn't one included.
+#
+# For each requested URL, the helper will receive one line with the format
+#
+# [channel-ID <SP>] URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kv-pairs]<NL>
+#
+#
+# After processing the request the helper must reply using the following format:
+#
+# [channel-ID <SP>] result [<SP> kv-pairs]
+#
+# The result code can be:
+#
+# OK store-id="..."
+# Use the StoreID supplied in 'store-id='.
+#
+# ERR
+# The default is to use HTTP request URL as the store ID.
+#
+# BH
+# An internal error occured in the helper, preventing
+# a result being identified.
+#
+#
+# Helper programs should be prepared to receive and possibly ignore additional
+# kv-pairs with keys they do not support.
+#
+# When using the concurrency= option the protocol is changed by
+# introducing a query channel tag in front of the request/response.
+# The query channel tag is a number between 0 and concurrency-1.
+# This value must be echoed back unchanged to Squid as the first part
+# of the response relating to its request.
+#
+# NOTE: when using StoreID refresh_pattern will apply to the StoreID
+# returned from the helper and not the URL.
+#
+# WARNING: Wrong StoreID value returned by a careless helper may result
+# in the wrong cached response returned to the user.
+#
+# By default, a StoreID helper is not used.
+#Default:
+# none
+
+# TAG: store_id_children
+# The maximum number of StoreID helper processes to spawn. If you limit
+# it too few Squid will have to wait for them to process a backlog of
+# requests, slowing it down. If you allow too many they will use RAM
+# and other system resources noticably.
+#
+# The startup= and idle= options allow some measure of skew in your
+# tuning.
+#
+# startup=
+#
+# Sets a minimum of how many processes are to be spawned when Squid
+# starts or reconfigures. When set to zero the first request will
+# cause spawning of the first child process to handle it.
+#
+# Starting too few will cause an initial slowdown in traffic as Squid
+# attempts to simultaneously spawn enough processes to cope.
+#
+# idle=
+#
+# Sets a minimum of how many processes Squid is to try and keep available
+# at all times. When traffic begins to rise above what the existing
+# processes can handle this many more will be spawned up to the maximum
+# configured. A minimum setting of 1 is required.
+#
+# concurrency=
+#
+# The number of requests each storeID helper can handle in
+# parallel. Defaults to 0 which indicates the helper
+# is a old-style single threaded program.
+#
+# When this directive is set to a value >= 1 then the protocol
+# used to communicate with the helper is modified to include
+# an ID in front of the request/response. The ID from the request
+# must be echoed back with the response to that request.
+#Default:
+# store_id_children 20 startup=0 idle=1 concurrency=0
+
+# TAG: store_id_access
+# If defined, this access list specifies which requests are
+# sent to the StoreID processes. By default all requests
+# are sent.
+#
+# This clause supports both fast and slow acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#Default:
+# Allow, unless rules exist in squid.conf.
+
+# TAG: store_id_bypass
+# When this is 'on', a request will not go through the
+# helper if all helpers are busy. If this is 'off'
+# and the helper queue grows too large, Squid will exit
+# with a FATAL error and ask you to increase the number of
+# helpers. You should only enable this if the helperss
+# are not critical to your caching system. If you use
+# helpers for critical caching components, and you enable this
+# option, users may not get objects from cache.
+#Default:
+# store_id_bypass on
+
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
@@ -3005,12 +4382,17 @@ coredump_dir /var/log/squid/cache
# You must use the words 'allow' or 'deny' to indicate whether items
# matching the ACL should be allowed or denied into the cache.
#
-# Default is to allow all to be cached.
-#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# none
+# Allow caching, unless rules exist in squid.conf.
+
+# TAG: max_stale time-units
+# This option puts an upper limit on how stale content Squid
+# will serve from the cache if cache validation fails.
+# Can be overriden by the refresh_pattern max-stale option.
+#Default:
+# max_stale 1 week
# TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
@@ -3035,12 +4417,13 @@ coredump_dir /var/log/squid/cache
# override-lastmod
# reload-into-ims
# ignore-reload
-# ignore-no-cache
# ignore-no-store
# ignore-must-revalidate
# ignore-private
# ignore-auth
+# max-stale=NN
# refresh-ims
+# store-stale
#
# override-expire enforces min age even if the server
# sent an explicit expiry time (e.g., with the
@@ -3056,22 +4439,18 @@ coredump_dir /var/log/squid/cache
# override-lastmod enforces min age even on objects
# that were modified recently.
#
-# reload-into-ims changes client no-cache or ``reload''
-# to If-Modified-Since requests. Doing this VIOLATES the
-# HTTP standard. Enabling this feature could make you
-# liable for problems which it causes.
+# reload-into-ims changes a client no-cache or ``reload''
+# request for a cached entry into a conditional request using
+# If-Modified-Since and/or If-None-Match headers, provided the
+# cached entry has a Last-Modified and/or a strong ETag header.
+# Doing this VIOLATES the HTTP standard. Enabling this feature
+# could make you liable for problems which it causes.
#
# ignore-reload ignores a client no-cache or ``reload''
# header. Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which
# it causes.
#
-# ignore-no-cache ignores any ``Pragma: no-cache'' and
-# ``Cache-control: no-cache'' headers received from a server.
-# The HTTP RFC never allows the use of this (Pragma) header
-# from a server, only a client, though plenty of servers
-# send it anyway.
-#
# ignore-no-store ignores any ``Cache-control: no-store''
# headers received from a server. Doing this VIOLATES
# the HTTP standard. Enabling this feature could make you
@@ -3098,6 +4477,16 @@ coredump_dir /var/log/squid/cache
# ensures that the client will receive an updated version
# if one is available.
#
+# store-stale stores responses even if they don't have explicit
+# freshness or a validator (i.e., Last-Modified or an ETag)
+# present, or if they're already stale. By default, Squid will
+# not cache such responses because they usually can't be
+# reused. Note that such responses will be stale by default.
+#
+# max-stale=NN provide a maximum staleness factor. Squid won't
+# serve objects more stale than this even if it failed to
+# validate the object. Default: use the max_stale global limit.
+#
# Basically a cached object is:
#
# FRESH if expires < now, else STALE
@@ -3116,7 +4505,9 @@ coredump_dir /var/log/squid/cache
#
#
+#
# Add any of your own refresh_pattern entries above these.
+#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
@@ -3139,7 +4530,7 @@ refresh_pattern . 0 20% 4320
# downloads.
#
# When the user aborts a request, Squid will check the
-# quick_abort values to the amount of data transfered until
+# quick_abort values to the amount of data transferred until
# then.
#
# If the transfer has less than 'quick_abort_min' KB remaining,
@@ -3197,44 +4588,68 @@ refresh_pattern . 0 20% 4320
#Default:
# negative_dns_ttl 1 minutes
-# TAG: range_offset_limit (bytes)
-# Sets a upper limit on how far into the the file a Range request
-# may be to cause Squid to prefetch the whole file. If beyond this
-# limit Squid forwards the Range request as it is and the result
-# is NOT cached.
-#
+# TAG: range_offset_limit size [acl acl...]
+# usage: (size) [units] [[!]aclname]
+#
+# Sets an upper limit on how far (number of bytes) into the file
+# a Range request may be to cause Squid to prefetch the whole file.
+# If beyond this limit, Squid forwards the Range request as it is and
+# the result is NOT cached.
+#
# This is to stop a far ahead range request (lets say start at 17MB)
# from making Squid fetch the whole object up to that point before
# sending anything to the client.
-#
-# A value of 0 causes Squid to never fetch more than the
+#
+# Multiple range_offset_limit lines may be specified, and they will
+# be searched from top to bottom on each request until a match is found.
+# The first match found will be used. If no line matches a request, the
+# default limit of 0 bytes will be used.
+#
+# 'size' is the limit specified as a number of units.
+#
+# 'units' specifies whether to use bytes, KB, MB, etc.
+# If no units are specified bytes are assumed.
+#
+# A size of 0 causes Squid to never fetch more than the
# client requested. (default)
-#
-# A value of -1 causes Squid to always fetch the object from the
+#
+# A size of 'none' causes Squid to always fetch the object from the
# beginning so it may cache the result. (2.0 style)
-#
-# NP: Using -1 here will override any quick_abort settings that may
-# otherwise apply to the range request. The range request will
+#
+# 'aclname' is the name of a defined ACL.
+#
+# NP: Using 'none' as the byte value here will override any quick_abort settings
+# that may otherwise apply to the range request. The range request will
# be fully fetched from start to finish regardless of the client
# actions. This affects bandwidth usage.
#Default:
-# range_offset_limit 0 KB
+# none
# TAG: minimum_expiry_time (seconds)
# The minimum caching time according to (Expires - Date)
-# Headers Squid honors if the object can't be revalidated
-# defaults to 60 seconds. In reverse proxy environments it
-# might be desirable to honor shorter object lifetimes. It
-# is most likely better to make your server return a
-# meaningful Last-Modified header however. In ESI environments
-# where page fragments often have short lifetimes, this will
-# often be best set to 0.
+# headers Squid honors if the object can't be revalidated.
+# The default is 60 seconds.
+#
+# In reverse proxy environments it might be desirable to honor
+# shorter object lifetimes. It is most likely better to make
+# your server return a meaningful Last-Modified header however.
+#
+# In ESI environments where page fragments often have short
+# lifetimes, this will often be best set to 0.
#Default:
# minimum_expiry_time 60 seconds
-# TAG: store_avg_object_size (kbytes)
+# TAG: store_avg_object_size (bytes)
# Average object size, used to estimate number of objects your
# cache can hold. The default is 13 KB.
+#
+# This is used to pre-seed the cache index memory allocation to
+# reduce expensive reallocate operations while handling clients
+# traffic. Too-large values may result in memory allocation during
+# peak traffic, too-small values will result in wasted memory.
+#
+# Check the cache manager 'info' report metrics for the real
+# object sizes seen by your Squid before tuning this.
#Default:
# store_avg_object_size 13 KB
@@ -3273,8 +4688,11 @@ refresh_pattern . 0 20% 4320
# than this limit receives an "Invalid Request" error message.
# If you set this parameter to a zero (the default), there will
# be no limit imposed.
+#
+# See also client_request_buffer_max_size for an alternative
+# limitation on client uploads which can be configured.
#Default:
-# request_body_max_size 0 KB
+# No limit.
# TAG: client_request_buffer_max_size (bytes)
# This specifies the maximum buffer size of a client request.
@@ -3327,18 +4745,18 @@ refresh_pattern . 0 20% 4320
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
#Default:
-# none
+# Obey RFC 2616.
-# TAG: icap_uses_indirect_client on|off
+# TAG: adaptation_uses_indirect_client on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-follow-x-forwarded-for and --enable-icap-client option
+# --enable-follow-x-forwarded-for and (--enable-icap-client and/or --enable-ecap)
#
# Controls whether the indirect client IP address (instead of the direct
# client IP address) is passed to adaptation services.
#
# See also: follow_x_forwarded_for adaptation_send_client_ip
#Default:
-# icap_uses_indirect_client on
+# adaptation_uses_indirect_client on
# TAG: via on|off
# If set (default), Squid will include a Via header in requests and
@@ -3400,64 +4818,62 @@ refresh_pattern . 0 20% 4320
#
# This option replaces the old 'anonymize_headers' and the
# older 'http_anonymizer' option with something that is much
-# more configurable. This new method creates a list of ACLs
-# for each header, allowing you very fine-tuned header
-# mangling.
-#
-# This option only applies to request headers, i.e., from the
-# client to the server.
-#
-# You can only specify known headers for the header name.
-# Other headers are reclassified as 'Other'. You can also
-# refer to all the headers with 'All'.
+# more configurable. A list of ACLs for each header name allows
+# removal of specific header fields under specific conditions.
+#
+# This option only applies to outgoing HTTP request headers (i.e.,
+# headers sent by Squid to the next HTTP hop such as a cache peer
+# or an origin server). The option has no effect during cache hit
+# detection. The equivalent adaptation vectoring point in ICAP
+# terminology is post-cache REQMOD.
+#
+# The option is applied to individual outgoing request header
+# fields. For each request header field F, Squid uses the first
+# qualifying sets of request_header_access rules:
+#
+# 1. Rules with header_name equal to F's name.
+# 2. Rules with header_name 'Other', provided F's name is not
+# on the hard-coded list of commonly used HTTP header names.
+# 3. Rules with header_name 'All'.
+#
+# Within that qualifying rule set, rule ACLs are checked as usual.
+# If ACLs of an "allow" rule match, the header field is allowed to
+# go through as is. If ACLs of a "deny" rule match, the header is
+# removed and request_header_replace is then checked to identify
+# if the removed header has a replacement. If no rules within the
+# set have matching ACLs, the header field is left as is.
#
# For example, to achieve the same behavior as the old
# 'http_anonymizer standard' option, you should use:
#
# request_header_access From deny all
# request_header_access Referer deny all
-# request_header_access Server deny all
# request_header_access User-Agent deny all
-# request_header_access WWW-Authenticate deny all
-# request_header_access Link deny all
#
# Or, to reproduce the old 'http_anonymizer paranoid' feature
# you should use:
#
-# request_header_access Allow allow all
# request_header_access Authorization allow all
-# request_header_access WWW-Authenticate allow all
# request_header_access Proxy-Authorization allow all
-# request_header_access Proxy-Authenticate allow all
# request_header_access Cache-Control allow all
-# request_header_access Content-Encoding allow all
# request_header_access Content-Length allow all
# request_header_access Content-Type allow all
# request_header_access Date allow all
-# request_header_access Expires allow all
# request_header_access Host allow all
# request_header_access If-Modified-Since allow all
-# request_header_access Last-Modified allow all
-# request_header_access Location allow all
# request_header_access Pragma allow all
# request_header_access Accept allow all
# request_header_access Accept-Charset allow all
# request_header_access Accept-Encoding allow all
# request_header_access Accept-Language allow all
-# request_header_access Content-Language allow all
-# request_header_access Mime-Version allow all
-# request_header_access Retry-After allow all
-# request_header_access Title allow all
# request_header_access Connection allow all
# request_header_access All deny all
#
-# although many of those are HTTP reply headers, and so should be
-# controlled with the reply_header_access directive.
+# HTTP reply headers are controlled with the reply_header_access directive.
#
-# By default, all headers are allowed (no anonymizing is
-# performed).
+# By default, all headers are allowed (no anonymizing is performed).
#Default:
-# none
+# No limits.
# TAG: reply_header_access
# Usage: reply_header_access header_name allow|deny [!]aclname ...
@@ -3470,25 +4886,13 @@ refresh_pattern . 0 20% 4320
# server to the client.
#
# This is the same as request_header_access, but in the other
-# direction.
-#
-# This option replaces the old 'anonymize_headers' and the
-# older 'http_anonymizer' option with something that is much
-# more configurable. This new method creates a list of ACLs
-# for each header, allowing you very fine-tuned header
-# mangling.
-#
-# You can only specify known headers for the header name.
-# Other headers are reclassified as 'Other'. You can also
-# refer to all the headers with 'All'.
+# direction. Please see request_header_access for detailed
+# documentation.
#
# For example, to achieve the same behavior as the old
# 'http_anonymizer standard' option, you should use:
#
-# reply_header_access From deny all
-# reply_header_access Referer deny all
# reply_header_access Server deny all
-# reply_header_access User-Agent deny all
# reply_header_access WWW-Authenticate deny all
# reply_header_access Link deny all
#
@@ -3496,9 +4900,7 @@ refresh_pattern . 0 20% 4320
# you should use:
#
# reply_header_access Allow allow all
-# reply_header_access Authorization allow all
# reply_header_access WWW-Authenticate allow all
-# reply_header_access Proxy-Authorization allow all
# reply_header_access Proxy-Authenticate allow all
# reply_header_access Cache-Control allow all
# reply_header_access Content-Encoding allow all
@@ -3506,29 +4908,22 @@ refresh_pattern . 0 20% 4320
# reply_header_access Content-Type allow all
# reply_header_access Date allow all
# reply_header_access Expires allow all
-# reply_header_access Host allow all
-# reply_header_access If-Modified-Since allow all
# reply_header_access Last-Modified allow all
# reply_header_access Location allow all
# reply_header_access Pragma allow all
-# reply_header_access Accept allow all
-# reply_header_access Accept-Charset allow all
-# reply_header_access Accept-Encoding allow all
-# reply_header_access Accept-Language allow all
# reply_header_access Content-Language allow all
-# reply_header_access Mime-Version allow all
# reply_header_access Retry-After allow all
# reply_header_access Title allow all
+# reply_header_access Content-Disposition allow all
# reply_header_access Connection allow all
# reply_header_access All deny all
#
-# although the HTTP request headers won't be usefully controlled
-# by this directive -- see request_header_access for details.
+# HTTP request headers are controlled with the request_header_access directive.
#
# By default, all headers are allowed (no anonymizing is
# performed).
#Default:
-# none
+# No limits.
# TAG: request_header_replace
# Usage: request_header_replace header_name message
@@ -3536,8 +4931,7 @@ refresh_pattern . 0 20% 4320
#
# This option allows you to change the contents of headers
# denied with request_header_access above, by replacing them
-# with some fixed string. This replaces the old fake_user_agent
-# option.
+# with some fixed string.
#
# This only applies to request headers, not reply headers.
#
@@ -3559,6 +4953,57 @@ refresh_pattern . 0 20% 4320
#Default:
# none
+# TAG: request_header_add
+# Usage: request_header_add field-name field-value acl1 [acl2] ...
+# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
+#
+# This option adds header fields to outgoing HTTP requests (i.e.,
+# request headers sent by Squid to the next HTTP hop such as a
+# cache peer or an origin server). The option has no effect during
+# cache hit detection. The equivalent adaptation vectoring point
+# in ICAP terminology is post-cache REQMOD.
+#
+# Field-name is a token specifying an HTTP header name. If a
+# standard HTTP header name is used, Squid does not check whether
+# the new header conflicts with any existing headers or violates
+# HTTP rules. If the request to be modified already contains a
+# field with the same name, the old field is preserved but the
+# header field values are not merged.
+#
+# Field-value is either a token or a quoted string. If quoted
+# string format is used, then the surrounding quotes are removed
+# while escape sequences and %macros are processed.
+#
+# In theory, all of the logformat codes can be used as %macros.
+# However, unlike logging (which happens at the very end of
+# transaction lifetime), the transaction may not yet have enough
+# information to expand a macro when the new header value is needed.
+# And some information may already be available to Squid but not yet
+# committed where the macro expansion code can access it (report
+# such instances!). The macro will be expanded into a single dash
+# ('-') in such cases. Not all macros have been tested.
+#
+# One or more Squid ACLs may be specified to restrict header
+# injection to matching requests. As always in squid.conf, all
+# ACLs in an option ACL list must be satisfied for the insertion
+# to happen. The request_header_add option supports fast ACLs
+# only.
+#Default:
+# none
+
+# TAG: note
+# This option used to log custom information about the master
+# transaction. For example, an admin may configure Squid to log
+# which "user group" the transaction belongs to, where "user group"
+# will be determined based on a set of ACLs and not [just]
+# authentication information.
+# Values of key/value pairs can be logged using %{key}note macros:
+#
+# note key value acl ...
+# logformat myFormat ... %{key}note ...
+#Default:
+# none
+
# TAG: relaxed_header_parser on|off|warn
# In the default "on" setting Squid accepts certain forms
# of non-compliant HTTP messages where it is unambiguous
@@ -3574,16 +5019,6 @@ refresh_pattern . 0 20% 4320
#Default:
# relaxed_header_parser on
-# TAG: ignore_expect_100 on|off
-# This option makes Squid ignore any Expect: 100-continue header present
-# in the request. RFC 2616 requires that Squid being unable to satisfy
-# the response expectation MUST return a 417 error.
-#
-# Note: Enabling this is a HTTP protocol violation, but some clients may
-# not handle it well..
-#Default:
-# ignore_expect_100 off
-
# TIMEOUTS
# -----------------------------------------------------------------------------
@@ -3617,17 +5052,28 @@ refresh_pattern . 0 20% 4320
#Default:
# read_timeout 15 minutes
+# TAG: write_timeout time-units
+# This timeout is tracked for all connections that have data
+# available for writing and are waiting for the socket to become
+# ready. After each successful write, the timeout is extended by
+# the configured amount. If Squid has data to write but the
+# connection is not ready for the configured duration, the
+# transaction associated with the connection is terminated. The
+# default is 15 minutes.
+#Default:
+# write_timeout 15 minutes
+
# TAG: request_timeout
# How long to wait for complete HTTP request headers after initial
# connection establishment.
#Default:
# request_timeout 5 minutes
-# TAG: persistent_request_timeout
+# TAG: client_idle_pconn_timeout
# How long to wait for the next HTTP request on a persistent
-# connection after the previous request completes.
+# client connection after the previous request completes.
#Default:
-# persistent_request_timeout 2 minutes
+# client_idle_pconn_timeout 2 minutes
# TAG: client_lifetime time-units
# The maximum amount of time a client (browser) is allowed to
@@ -3663,11 +5109,11 @@ refresh_pattern . 0 20% 4320
#Default:
# half_closed_clients off
-# TAG: pconn_timeout
+# TAG: server_idle_pconn_timeout
# Timeout for idle persistent connections to servers and other
# proxies.
#Default:
-# pconn_timeout 1 minute
+# server_idle_pconn_timeout 1 minute
# TAG: ident_timeout
# Maximum time to wait for IDENT lookups to complete.
@@ -3692,15 +5138,15 @@ refresh_pattern . 0 20% 4320
# TAG: cache_mgr
# Email-address of local cache manager who will receive
-# mail if the cache dies. The default is "webmaster."
+# mail if the cache dies. The default is "webmaster".
#Default:
# cache_mgr webmaster
# TAG: mail_from
# From: email-address for mail sent when the cache dies.
-# The default is to use 'appname@unique_hostname'.
-# Default appname value is "squid", can be changed into
-# src/globals.h before building squid.
+# The default is to use 'squid@unique_hostname'.
+#
+# See also: unique_hostname directive.
#Default:
# none
@@ -3739,7 +5185,7 @@ refresh_pattern . 0 20% 4320
# Our preference is for administrators to configure a secure
# user account for squid with UID/GID matching system policies.
#Default:
-# none
+# Use system group memberships of the cache_effective_user account
# TAG: httpd_suppress_version_string on|off
# Suppress Squid version string info in HTTP headers and HTML error pages.
@@ -3753,14 +5199,14 @@ refresh_pattern . 0 20% 4320
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#Default:
-# none
+# Automatically detect the system host name
# TAG: unique_hostname
# If you want to have multiple machines with the same
# 'visible_hostname' you must give each machine a different
# 'unique_hostname' so forwarding loops can be detected.
#Default:
-# none
+# Copy the value from visible_hostname
# TAG: hostname_aliases
# A list of other DNS names your cache has.
@@ -3799,33 +5245,32 @@ refresh_pattern . 0 20% 4320
# available on the Web at http://www.ircache.net/Cache/Tracker/.
# TAG: announce_period
-# This is how frequently to send cache announcements. The
-# default is `0' which disables sending the announcement
-# messages.
+# This is how frequently to send cache announcements.
#
# To enable announcing your cache, just set an announce period.
#
# Example:
# announce_period 1 day
#Default:
-# announce_period 0
+# Announcement messages disabled.
# TAG: announce_host
+# Set the hostname where announce registration messages will be sent.
+#
+# See also announce_port and announce_file
#Default:
# announce_host tracker.ircache.net
# TAG: announce_file
+# The contents of this file will be included in the announce
+# registration messages.
#Default:
# none
# TAG: announce_port
-# announce_host and announce_port set the hostname and port
-# number where the registration message will be sent.
+# Set the port where announce registration messages will be sent.
#
-# Hostname will default to 'tracker.ircache.net' and port will
-# default default to 3131. If the 'filename' argument is given,
-# the contents of that file will be included in the announce
-# message.
+# See also announce_host and announce_file
#Default:
# announce_port 3131
@@ -3833,28 +5278,24 @@ refresh_pattern . 0 20% 4320
# -----------------------------------------------------------------------------
# TAG: httpd_accel_surrogate_id
-# Note: This option is only available if Squid is rebuilt with the
-# --enable-esi option
-#
# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
# need an identification token to allow control targeting. Because
# a farm of surrogates may all perform the same tasks, they may share
# an identification token.
#Default:
-# httpd_accel_surrogate_id unset-id
+# visible_hostname is used if no specific ID is set.
# TAG: http_accel_surrogate_remote on|off
-# Note: This option is only available if Squid is rebuilt with the
-# --enable-esi option
+# Remote surrogates (such as those in a CDN) honour the header
+# "Surrogate-Control: no-store-remote".
#
-# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
# Set this to on to have squid behave as a remote surrogate.
#Default:
# http_accel_surrogate_remote off
# TAG: esi_parser libxml2|expat|custom
# Note: This option is only available if Squid is rebuilt with the
-# --enable-esi option
+# --enable-esi
#
# ESI markup is not strictly XML compatible. The custom ESI parser
# will give higher performance, but cannot handle non ASCII character
@@ -3867,17 +5308,20 @@ refresh_pattern . 0 20% 4320
# TAG: delay_pools
# Note: This option is only available if Squid is rebuilt with the
-# --enable-delay-pools option
+# --enable-delay-pools
#
# This represents the number of delay pools to be used. For example,
# if you have one class 2 delay pool and one class 3 delays pool, you
# have a total of 2 delay pools.
+#
+# See also delay_parameters, delay_class, delay_access for pool
+# configuration details.
#Default:
# delay_pools 0
# TAG: delay_class
# Note: This option is only available if Squid is rebuilt with the
-# --enable-delay-pools option
+# --enable-delay-pools
#
# This defines the class of each delay pool. There must be exactly one
# delay_class line for each delay pool. For example, to define two
@@ -3927,12 +5371,17 @@ refresh_pattern . 0 20% 4320
#
# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
+# See also delay_parameters and delay_access.
#Default:
# none
# TAG: delay_access
# Note: This option is only available if Squid is rebuilt with the
-# --enable-delay-pools option
+# --enable-delay-pools
#
# This is used to determine which delay pool a request falls into.
#
@@ -3944,18 +5393,20 @@ refresh_pattern . 0 20% 4320
# For example, if you want some_big_clients in delay
# pool 1 and lotsa_little_clients in delay pool 2:
#
-#Example:
-# delay_access 1 allow some_big_clients
-# delay_access 1 deny all
-# delay_access 2 allow lotsa_little_clients
-# delay_access 2 deny all
-# delay_access 3 allow authenticated_clients
+# delay_access 1 allow some_big_clients
+# delay_access 1 deny all
+# delay_access 2 allow lotsa_little_clients
+# delay_access 2 deny all
+# delay_access 3 allow authenticated_clients
+#
+# See also delay_parameters and delay_class.
+#
#Default:
-# none
+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
# TAG: delay_parameters
# Note: This option is only available if Squid is rebuilt with the
-# --enable-delay-pools option
+# --enable-delay-pools
#
# This defines the parameters for a delay pool. Each delay pool has
# a number of "buckets" associated with it, as explained in the
@@ -4040,12 +5491,16 @@ refresh_pattern . 0 20% 4320
# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
#
# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
+#
+#
+# See also delay_class and delay_access.
+#
#Default:
# none
# TAG: delay_initial_bucket_level (percent, 0-100)
# Note: This option is only available if Squid is rebuilt with the
-# --enable-delay-pools option
+# --enable-delay-pools
#
# The initial bucket percentage is used to determine how much is put
# in each bucket when squid starts, is reconfigured, or first notices
@@ -4055,6 +5510,106 @@ refresh_pattern . 0 20% 4320
#Default:
# delay_initial_bucket_level 50
+# CLIENT DELAY POOL PARAMETERS
+# -----------------------------------------------------------------------------
+
+# TAG: client_delay_pools
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-delay-pools
+#
+# This option specifies the number of client delay pools used. It must
+# preceed other client_delay_* options.
+#
+# Example:
+# client_delay_pools 2
+#
+# See also client_delay_parameters and client_delay_access.
+#Default:
+# client_delay_pools 0
+
+# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-delay-pools
+#
+# This option determines the initial bucket size as a percentage of
+# max_bucket_size from client_delay_parameters. Buckets are created
+# at the time of the "first" connection from the matching IP. Idle
+# buckets are periodically deleted up.
+#
+# You can specify more than 100 percent but note that such "oversized"
+# buckets are not refilled until their size goes down to max_bucket_size
+# from client_delay_parameters.
+#
+# Example:
+# client_delay_initial_bucket_level 50
+#Default:
+# client_delay_initial_bucket_level 50
+
+# TAG: client_delay_parameters
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-delay-pools
+#
+#
+# This option configures client-side bandwidth limits using the
+# following format:
+#
+# client_delay_parameters pool speed_limit max_bucket_size
+#
+# pool is an integer ID used for client_delay_access matching.
+#
+# speed_limit is bytes added to the bucket per second.
+#
+# max_bucket_size is the maximum size of a bucket, enforced after any
+# speed_limit additions.
+#
+# Please see the delay_parameters option for more information and
+# examples.
+#
+# Example:
+# client_delay_parameters 1 1024 2048
+# client_delay_parameters 2 51200 16384
+#
+# See also client_delay_access.
+#
+#Default:
+# none
+
+# TAG: client_delay_access
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-delay-pools
+#
+# This option determines the client-side delay pool for the
+# request:
+#
+# client_delay_access pool_ID allow|deny acl_name
+#
+# All client_delay_access options are checked in their pool ID
+# order, starting with pool 1. The first checked pool with allowed
+# request is selected for the request. If no ACL matches or there
+# are no client_delay_access options, the request bandwidth is not
+# limited.
+#
+# The ACL-selected pool is then used to find the
+# client_delay_parameters for the request. Client-side pools are
+# not used to aggregate clients. Clients are always aggregated
+# based on their source IP addresses (one bucket per source IP).
+#
+# This clause only supports fast acl types.
+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+# Additionally, only the client TCP connection details are available.
+# ACLs testing HTTP properties will not work.
+#
+# Please see delay_access for more examples.
+#
+# Example:
+# client_delay_access 1 allow low_rate_network
+# client_delay_access 2 allow vips_network
+#
+#
+# See also client_delay_parameters and client_delay_pools.
+#Default:
+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
+
# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# -----------------------------------------------------------------------------
@@ -4069,7 +5624,7 @@ refresh_pattern . 0 20% 4320
# only one of the two may be used at the same time and defines
# which version of WCCP to use.
#Default:
-# wccp_router any_addr
+# WCCP disabled.
# TAG: wccp2_router
# Use this option to define your WCCP ``home'' router for
@@ -4082,7 +5637,7 @@ refresh_pattern . 0 20% 4320
# only one of the two may be used at the same time and defines
# which version of WCCP to use.
#Default:
-# none
+# WCCPv2 disabled.
# TAG: wccp_version
# This directive is only relevant if you need to set up WCCP(v1)
@@ -4139,7 +5694,7 @@ refresh_pattern . 0 20% 4320
# Valid values are as follows:
#
# hash - Hash assignment
-# mask - Mask assignment
+# mask - Mask assignment
#
# As a general rule, cisco routers support the hash assignment method
# and cisco switches support the mask assignment method.
@@ -4167,7 +5722,7 @@ refresh_pattern . 0 20% 4320
# # fleshed out with subsequent options.
# wccp2_service standard 0 password=foo
#Default:
-# wccp2_service standard 0
+# Use the 'web-cache' standard service.
# TAG: wccp2_service_info
# Dynamic WCCPv2 services require further information to define the
@@ -4204,8 +5759,12 @@ refresh_pattern . 0 20% 4320
# wccp2_weight 10000
# TAG: wccp_address
+# Use this option if you require WCCPv2 to use a specific
+# interface address.
+#
+# The default behavior is to not bind to any specific address.
#Default:
-# wccp_address 0.0.0.0
+# Address selected by the operating system.
# TAG: wccp2_address
# Use this option if you require WCCP to use a specific
@@ -4213,7 +5772,7 @@ refresh_pattern . 0 20% 4320
#
# The default behavior is to not bind to any specific address.
#Default:
-# wccp2_address 0.0.0.0
+# Address selected by the operating system.
# PERSISTENT CONNECTION HANDLING
# -----------------------------------------------------------------------------
@@ -4221,14 +5780,16 @@ refresh_pattern . 0 20% 4320
# Also see "pconn_timeout" in the TIMEOUTS section
# TAG: client_persistent_connections
+# Persistent connection support for clients.
+# Squid uses persistent connections (when allowed). You can use
+# this option to disable persistent connections with clients.
#Default:
# client_persistent_connections on
# TAG: server_persistent_connections
-# Persistent connection support for clients and servers. By
-# default, Squid uses persistent connections (when allowed)
-# with its clients and servers. You can use these options to
-# disable persistent connections with clients and/or servers.
+# Persistent connection support for servers.
+# Squid uses persistent connections (when allowed). You can use
+# this option to disable persistent connections with servers.
#Default:
# server_persistent_connections on
@@ -4256,7 +5817,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_generation
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This controls whether the server will generate a Cache Digest
# of its contents. By default, Cache Digest generation is
@@ -4266,7 +5827,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_bits_per_entry
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This is the number of bits of the server's Cache Digest which
# will be associated with the Digest entry for a given HTTP
@@ -4276,7 +5837,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_rebuild_period (seconds)
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This is the wait time between Cache Digest rebuilds.
#Default:
@@ -4284,7 +5845,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_rewrite_period (seconds)
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This is the wait time between Cache Digest writes to
# disk.
@@ -4293,7 +5854,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_swapout_chunk_size (bytes)
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This is the number of bytes of the Cache Digest to write to
# disk at a time. It defaults to 4096 bytes (4KB), the Squid
@@ -4303,7 +5864,7 @@ refresh_pattern . 0 20% 4320
# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
# Note: This option is only available if Squid is rebuilt with the
-# --enable-cache-digests option
+# --enable-cache-digests
#
# This is the percentage of the Cache Digest to be scanned at a
# time. By default it is set to 10% of the Cache Digest.
@@ -4322,7 +5883,7 @@ refresh_pattern . 0 20% 4320
# Example:
# snmp_port 3401
#Default:
-# snmp_port 0
+# SNMP disabled.
# TAG: snmp_access
# Allowing or denying access to the SNMP port.
@@ -4334,26 +5895,29 @@ refresh_pattern . 0 20% 4320
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+#
#Example:
# snmp_access allow snmppublic localhost
# snmp_access deny all
#Default:
-# snmp_access deny all
+# Deny, unless rules exist in squid.conf.
# TAG: snmp_incoming_address
-#Default:
-# snmp_incoming_address any_addr
-
-# TAG: snmp_outgoing_address
# Just like 'udp_incoming_address', but for the SNMP port.
#
# snmp_incoming_address is used for the SNMP socket receiving
# messages from SNMP agents.
-# snmp_outgoing_address is used for SNMP packets returned to SNMP
-# agents.
#
# The default snmp_incoming_address is to listen on all
# available network interfaces.
+#Default:
+# Accept SNMP packets from all machine interfaces.
+
+# TAG: snmp_outgoing_address
+# Just like 'udp_outgoing_address', but for the SNMP port.
+#
+# snmp_outgoing_address is used for SNMP packets returned to SNMP
+# agents.
#
# If snmp_outgoing_address is not set it will use the same socket
# as snmp_incoming_address. Only change this if you want to have
@@ -4361,9 +5925,9 @@ refresh_pattern . 0 20% 4320
# listens for SNMP queries.
#
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
-# the same value since they both use port 3401.
+# the same value since they both use the same port.
#Default:
-# snmp_outgoing_address no_addr
+# Use snmp_incoming_address or an address selected by the operating system.
# ICP OPTIONS
# -----------------------------------------------------------------------------
@@ -4371,22 +5935,21 @@ refresh_pattern . 0 20% 4320
# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. The standard UDP port for ICP is 3130.
-# Default is disabled (0).
#
# Example:
# icp_port 3130
#Default:
-# icp_port 0
+# ICP disabled.
# TAG: htcp_port
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. To turn it on you want to set it to
-# 4827. By default it is set to "0" (disabled).
+# 4827.
#
# Example:
# htcp_port 4827
#Default:
-# htcp_port 0
+# HTCP disabled.
# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. You may wish
@@ -4412,7 +5975,7 @@ refresh_pattern . 0 20% 4320
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
#Default:
-# udp_incoming_address any_addr
+# Accept packets from all machine interfaces.
# TAG: udp_outgoing_address
# udp_outgoing_address is used for UDP packets sent out to other
@@ -4433,7 +5996,7 @@ refresh_pattern . 0 20% 4320
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use the same port.
#Default:
-# udp_outgoing_address no_addr
+# Use udp_incoming_address or an address selected by the operating system.
# TAG: icp_hit_stale on|off
# If you want to return ICP_HIT for stale cache objects, set this
@@ -4452,21 +6015,33 @@ refresh_pattern . 0 20% 4320
#Default:
# minimum_direct_hops 4
-# TAG: minimum_direct_rtt
+# TAG: minimum_direct_rtt (msec)
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many rtt milliseconds away.
#Default:
# minimum_direct_rtt 400
# TAG: netdb_low
+# The low water mark for the ICMP measurement database.
+#
+# Note: high watermark controlled by netdb_high directive.
+#
+# These watermarks are counts, not percents. The defaults are
+# (low) 900 and (high) 1000. When the high water mark is
+# reached, database entries will be deleted until the low
+# mark is reached.
#Default:
# netdb_low 900
# TAG: netdb_high
-# The low and high water marks for the ICMP measurement
-# database. These are counts, not percents. The defaults are
-# 900 and 1000. When the high water mark is reached, database
-# entries will be deleted until the low mark is reached.
+# The high water mark for the ICMP measurement database.
+#
+# Note: low watermark controlled by netdb_low directive.
+#
+# These watermarks are counts, not percents. The defaults are
+# (low) 900 and (high) 1000. When the high water mark is
+# reached, database entries will be deleted until the low
+# mark is reached.
#Default:
# netdb_high 1000
@@ -4509,7 +6084,7 @@ refresh_pattern . 0 20% 4320
#
# icp_query_timeout 2000
#Default:
-# icp_query_timeout 0
+# Dynamic detection.
# TAG: maximum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
@@ -4575,7 +6150,7 @@ refresh_pattern . 0 20% 4320
# Do not enable this option unless you are are absolutely
# certain you understand what you are doing.
#Default:
-# mcast_miss_addr no_addr
+# disabled.
# TAG: mcast_miss_ttl
# Note: This option is only available if Squid is rebuilt with the
@@ -4665,7 +6240,7 @@ refresh_pattern . 0 20% 4320
# The squid developers working on translations are happy to supply drop-in
# translated error files in exchange for any new language contributions.
#Default:
-# none
+# Send error pages in the clients preferred language
# TAG: error_default_language
# Set the default language which squid will send error pages in
@@ -4679,7 +6254,7 @@ refresh_pattern . 0 20% 4320
# translations for any language see the squid wiki for details.
# http://wiki.squid-cache.org/Translations
#Default:
-# none
+# Generate English language pages.
# TAG: error_log_languages
# Log to cache.log what languages users are attempting to
@@ -4734,17 +6309,47 @@ refresh_pattern . 0 20% 4320
# the first authentication related acl encountered
# - When none of the http_access lines matches. It's then the last
# acl processed on the last http_access line.
+# - When the decision to deny access was made by an adaptation service,
+# the acl name is the corresponding eCAP or ICAP service_name.
#
# NP: If providing your own custom error pages with error_directory
# you may also specify them by your custom file name:
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
-# Alternatively you can specify an error URL. The browsers will
-# get redirected (302 or 307) to the specified URL. %s in the redirection
-# URL will be replaced by the requested URL.
+# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
+# may be specified by prefixing the file name with the code and a colon.
+# e.g. 404:ERR_CUSTOM_ACCESS_DENIED
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
+#
+# Or you can specify an error URL or URL pattern. The browsers will
+# get redirected to the specified URL after formatting tags have
+# been replaced. Redirect will be done with 302 or 307 according to
+# HTTP/1.1 specs. A different 3xx code may be specified by prefixing
+# the URL. e.g. 303:http://example.com/
+#
+# URL FORMAT TAGS:
+# %a - username (if available. Password NOT included)
+# %B - FTP path URL
+# %e - Error number
+# %E - Error description
+# %h - Squid hostname
+# %H - Request domain name
+# %i - Client IP Address
+# %M - Request Method
+# %o - Message result from external ACL helper
+# %p - Request Port number
+# %P - Request Protocol name
+# %R - Request URL path
+# %T - Timestamp in RFC 1123 format
+# %U - Full canonical URL from client
+# (HTTPS URLs terminate with *)
+# %u - Full canonical URL from client
+# %w - Admin email from squid.conf
+# %x - Error name
+# %% - Literal percent (%) code
+#
#Default:
# none
@@ -4756,15 +6361,16 @@ refresh_pattern . 0 20% 4320
# (matching hierarchy_stoplist or not cacheable request type) direct
# to origin servers.
#
-# If you set this to off, Squid will prefer to send these
+# When this is set to "off", Squid will prefer to send these
# requests to parents.
#
# Note that in most configurations, by turning this off you will only
# add latency to these request without any improvement in global hit
# ratio.
#
-# If you are inside an firewall see never_direct instead of
-# this directive.
+# This option only sets a preference. If the parent is unavailable a
+# direct connection to the origin server may still be attempted. To
+# completely prevent direct connections use never_direct.
#Default:
# nonhierarchical_direct on
@@ -4783,6 +6389,29 @@ refresh_pattern . 0 20% 4320
#Default:
# prefer_direct off
+# TAG: cache_miss_revalidate on|off
+# RFC 7232 defines a conditional request mechanism to prevent
+# response objects being unnecessarily transferred over the network.
+# If that mechanism is used by the client and a cache MISS occurs
+# it can prevent new cache entries being created.
+#
+# This option determines whether Squid on cache MISS will pass the
+# client revalidation request to the server or tries to fetch new
+# content for caching. It can be useful while the cache is mostly
+# empty to more quickly have the cache populated by generating
+# non-conditional GETs.
+#
+# When set to 'on' (default), Squid will pass all client If-* headers
+# to the server. This permits server responses without a cacheable
+# payload to be delivered and on MISS no new cache entry is created.
+#
+# When set to 'off' and if the request is cacheable, Squid will
+# remove the clients If-Modified-Since and If-None-Match headers from
+# the request sent to the server. This requests a 200 status response
+# from the server to create a new cache entry with.
+#Default:
+# cache_miss_revalidate on
+
# TAG: always_direct
# Usage: always_direct allow|deny [!]aclname ...
#
@@ -4823,7 +6452,7 @@ refresh_pattern . 0 20% 4320
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# none
+# Prevent any cache_peer being used for this request.
# TAG: never_direct
# Usage: never_direct allow|deny [!]aclname ...
@@ -4852,37 +6481,52 @@ refresh_pattern . 0 20% 4320
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
-# none
+# Allow DNS results to be used for this request.
# ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------
-# TAG: incoming_icp_average
+# TAG: incoming_udp_average
+# Heavy voodoo here. I can't even believe you are reading this.
+# Are you crazy? Don't even think about adjusting these unless
+# you understand the algorithms in comm_select.c first!
#Default:
-# incoming_icp_average 6
+# incoming_udp_average 6
-# TAG: incoming_http_average
+# TAG: incoming_tcp_average
+# Heavy voodoo here. I can't even believe you are reading this.
+# Are you crazy? Don't even think about adjusting these unless
+# you understand the algorithms in comm_select.c first!
#Default:
-# incoming_http_average 4
+# incoming_tcp_average 4
# TAG: incoming_dns_average
+# Heavy voodoo here. I can't even believe you are reading this.
+# Are you crazy? Don't even think about adjusting these unless
+# you understand the algorithms in comm_select.c first!
#Default:
# incoming_dns_average 4
-# TAG: min_icp_poll_cnt
+# TAG: min_udp_poll_cnt
+# Heavy voodoo here. I can't even believe you are reading this.
+# Are you crazy? Don't even think about adjusting these unless
+# you understand the algorithms in comm_select.c first!
#Default:
-# min_icp_poll_cnt 8
+# min_udp_poll_cnt 8
# TAG: min_dns_poll_cnt
+# Heavy voodoo here. I can't even believe you are reading this.
+# Are you crazy? Don't even think about adjusting these unless
+# you understand the algorithms in comm_select.c first!
#Default:
# min_dns_poll_cnt 8
-# TAG: min_http_poll_cnt
+# TAG: min_tcp_poll_cnt
# Heavy voodoo here. I can't even believe you are reading this.
# Are you crazy? Don't even think about adjusting these unless
# you understand the algorithms in comm_select.c first!
#Default:
-# min_http_poll_cnt 8
+# min_tcp_poll_cnt 8
# TAG: accept_filter
# FreeBSD:
@@ -4927,21 +6571,21 @@ refresh_pattern . 0 20% 4320
# WARNING: This may noticably slow down traffic received via external proxies
# or NAT devices and cause them to rebound error messages back to their clients.
#Default:
-# client_ip_max_connections -1
+# No limit.
# TAG: tcp_recv_bufsize (bytes)
# Size of receive buffer to set for TCP sockets. Probably just
-# as easy to change your kernel's default. Set to zero to use
-# the default buffer size.
+# as easy to change your kernel's default.
+# Omit from squid.conf to use the default buffer size.
#Default:
-# tcp_recv_bufsize 0 bytes
+# Use operating system TCP defaults.
# ICAP OPTIONS
# -----------------------------------------------------------------------------
# TAG: icap_enable on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# If you want to enable the ICAP module support, set this to on.
#Default:
@@ -4949,7 +6593,7 @@ refresh_pattern . 0 20% 4320
# TAG: icap_connect_timeout
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# This parameter specifies how long to wait for the TCP connect to
# the requested ICAP server to complete before giving up and either
@@ -4963,37 +6607,51 @@ refresh_pattern . 0 20% 4320
# TAG: icap_io_timeout time-units
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# This parameter specifies how long to wait for an I/O activity on
# an established, active ICAP connection before giving up and
# either terminating the HTTP transaction or bypassing the
# failure.
-#
-# The default is read_timeout.
#Default:
-# none
+# Use read_timeout.
-# TAG: icap_service_failure_limit
+# TAG: icap_service_failure_limit limit [in memory-depth time-units]
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# The limit specifies the number of failures that Squid tolerates
# when establishing a new TCP connection with an ICAP service. If
# the number of failures exceeds the limit, the ICAP service is
# not used for new ICAP requests until it is time to refresh its
-# OPTIONS. The per-service failure counter is reset to zero each
-# time Squid fetches new service OPTIONS.
+# OPTIONS.
#
# A negative value disables the limit. Without the limit, an ICAP
# service will not be considered down due to connectivity failures
# between ICAP OPTIONS requests.
+#
+# Squid forgets ICAP service failures older than the specified
+# value of memory-depth. The memory fading algorithm
+# is approximate because Squid does not remember individual
+# errors but groups them instead, splitting the option
+# value into ten time slots of equal length.
+#
+# When memory-depth is 0 and by default this option has no
+# effect on service failure expiration.
+#
+# Squid always forgets failures when updating service settings
+# using an ICAP OPTIONS transaction, regardless of this option
+# setting.
+#
+# For example,
+# # suspend service usage after 10 failures in 5 seconds:
+# icap_service_failure_limit 10 in 5 seconds
#Default:
# icap_service_failure_limit 10
# TAG: icap_service_revival_delay
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# The delay specifies the number of seconds to wait after an ICAP
# OPTIONS request failure before requesting the options again. The
@@ -5007,7 +6665,7 @@ refresh_pattern . 0 20% 4320
# TAG: icap_preview_enable on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# The ICAP Preview feature allows the ICAP server to handle the
# HTTP message by looking only at the beginning of the message body
@@ -5027,17 +6685,36 @@ refresh_pattern . 0 20% 4320
# TAG: icap_preview_size
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# The default size of preview data to be sent to the ICAP server.
-# -1 means no preview. This value might be overwritten on a per server
-# basis by OPTIONS requests.
+# This value might be overwritten on a per server basis by OPTIONS requests.
+#Default:
+# No preview sent.
+
+# TAG: icap_206_enable on|off
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-icap-client
+#
+# 206 (Partial Content) responses is an ICAP extension that allows the
+# ICAP agents to optionally combine adapted and original HTTP message
+# content. The decision to combine is postponed until the end of the
+# ICAP response. Squid supports Partial Content extension by default.
+#
+# Activation of the Partial Content extension is negotiated with each
+# ICAP service during OPTIONS exchange. Most ICAP servers should handle
+# negotation correctly even if they do not support the extension, but
+# some might fail. To disable Partial Content support for all ICAP
+# services and to avoid any negotiation, set this option to "off".
+#
+# Example:
+# icap_206_enable off
#Default:
-# icap_preview_size -1
+# icap_206_enable on
# TAG: icap_default_options_ttl
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# The default TTL value for ICAP OPTIONS responses that don't have
# an Options-TTL header.
@@ -5046,16 +6723,16 @@ refresh_pattern . 0 20% 4320
# TAG: icap_persistent_connections on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# Whether or not Squid should use persistent connections to
# an ICAP server.
#Default:
# icap_persistent_connections on
-# TAG: icap_send_client_ip on|off
+# TAG: adaptation_send_client_ip on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
# If enabled, Squid shares HTTP client IP information with adaptation
# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
@@ -5063,30 +6740,32 @@ refresh_pattern . 0 20% 4320
#
# See also: adaptation_uses_indirect_client
#Default:
-# icap_send_client_ip off
+# adaptation_send_client_ip off
-# TAG: icap_send_client_username on|off
+# TAG: adaptation_send_username on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
# This sends authenticated HTTP client username (if available) to
-# the ICAP service. The username value is encoded based on the
+# the adaptation service.
+#
+# For ICAP, the username value is encoded based on the
# icap_client_username_encode option and is sent using the header
# specified by the icap_client_username_header option.
#Default:
-# icap_send_client_username off
+# adaptation_send_username off
# TAG: icap_client_username_header
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
-# ICAP request header name to use for send_client_username.
+# ICAP request header name to use for adaptation_send_username.
#Default:
# icap_client_username_header X-Client-Username
# TAG: icap_client_username_encode on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# Whether to base64 encode the authenticated client username.
#Default:
@@ -5094,21 +6773,23 @@ refresh_pattern . 0 20% 4320
# TAG: icap_service
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# Defines a single ICAP service using the following format:
#
-# icap_service service_name vectoring_point [options] service_url
+# icap_service id vectoring_point uri [option ...]
#
-# service_name: ID
-# an opaque identifier which must be unique in squid.conf
+# id: ID
+# an opaque identifier or name which is used to direct traffic to
+# this specific service. Must be unique among all adaptation
+# services in squid.conf.
#
# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
# This specifies at which point of transaction processing the
# ICAP service should be activated. *_postcache vectoring points
# are not yet supported.
#
-# service_url: icap://servername:port/servicepath
+# uri: icap://servername:port/servicepath
# ICAP server and service location.
#
# ICAP does not allow a single service to handle both REQMOD and RESPMOD
@@ -5117,6 +6798,8 @@ refresh_pattern . 0 20% 4320
# can even specify multiple identical services as long as their
# service_names differ.
#
+# To activate a service, use the adaptation_access directive. To group
+# services, use adaptation_service_chain and adaptation_service_set.
#
# Service options are separated by white space. ICAP services support
# the following name=value options:
@@ -5138,11 +6821,12 @@ refresh_pattern . 0 20% 4320
# returning a chain of services to be used next. The services
# are specified using the X-Next-Services ICAP response header
# value, formatted as a comma-separated list of service names.
-# Each named service should be configured in squid.conf and
-# should have the same method and vectoring point as the current
-# ICAP transaction. Services violating these rules are ignored.
-# An empty X-Next-Services value results in an empty plan which
-# ends the current adaptation.
+# Each named service should be configured in squid.conf. Other
+# services are ignored. An empty X-Next-Services value results
+# in an empty plan which ends the current adaptation.
+#
+# Dynamic adaptation plan may cross or cover multiple supported
+# vectoring points in their natural processing order.
#
# Routing is not allowed by default: the ICAP X-Next-Services
# response header is ignored.
@@ -5152,18 +6836,38 @@ refresh_pattern . 0 20% 4320
# is to use IPv4-only connections. When set to 'on' this option will
# make Squid use IPv6-only connections to contact this ICAP service.
#
+# on-overload=block|bypass|wait|force
+# If the service Max-Connections limit has been reached, do
+# one of the following for each new ICAP transaction:
+# * block: send an HTTP error response to the client
+# * bypass: ignore the "over-connected" ICAP service
+# * wait: wait (in a FIFO queue) for an ICAP connection slot
+# * force: proceed, ignoring the Max-Connections limit
+#
+# In SMP mode with N workers, each worker assumes the service
+# connection limit is Max-Connections/N, even though not all
+# workers may use a given service.
+#
+# The default value is "bypass" if service is bypassable,
+# otherwise it is set to "wait".
+#
+#
+# max-conn=number
+# Use the given number as the Max-Connections limit, regardless
+# of the Max-Connections value given by the service, if any.
+#
# Older icap_service format without optional named parameters is
# deprecated but supported for backward compatibility.
#
#Example:
-#icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
-#icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
+#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on
#Default:
# none
# TAG: icap_class
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# This deprecated option was documented to define an ICAP service
# chain, even though it actually defined a set of similar, redundant
@@ -5177,7 +6881,7 @@ refresh_pattern . 0 20% 4320
# TAG: icap_access
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# This option is deprecated. Please use adaptation_access, which
# has the same ICAP functionality, but comes with better
@@ -5190,7 +6894,7 @@ refresh_pattern . 0 20% 4320
# TAG: ecap_enable on|off
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap option
+# --enable-ecap
#
# Controls whether eCAP support is enabled.
#Default:
@@ -5198,29 +6902,62 @@ refresh_pattern . 0 20% 4320
# TAG: ecap_service
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap option
+# --enable-ecap
#
# Defines a single eCAP service
#
-# ecap_service servicename vectoring_point bypass service_url
+# ecap_service id vectoring_point uri [option ...]
+#
+# id: ID
+# an opaque identifier or name which is used to direct traffic to
+# this specific service. Must be unique among all adaptation
+# services in squid.conf.
#
-# vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
# This specifies at which point of transaction processing the
# eCAP service should be activated. *_postcache vectoring points
# are not yet supported.
-# bypass = 1|0
-# If set to 1, the eCAP service is treated as optional. If the
-# service cannot be reached or malfunctions, Squid will try to
-# ignore any errors and process the message as if the service
+#
+# uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
+# Squid uses the eCAP service URI to match this configuration
+# line with one of the dynamically loaded services. Each loaded
+# eCAP service must have a unique URI. Obtain the right URI from
+# the service provider.
+#
+# To activate a service, use the adaptation_access directive. To group
+# services, use adaptation_service_chain and adaptation_service_set.
+#
+# Service options are separated by white space. eCAP services support
+# the following name=value options:
+#
+# bypass=on|off|1|0
+# If set to 'on' or '1', the eCAP service is treated as optional.
+# If the service cannot be reached or malfunctions, Squid will try
+# to ignore any errors and process the message as if the service
# was not enabled. No all eCAP errors can be bypassed.
-# If set to 0, the eCAP service is treated as essential and all
-# eCAP errors will result in an error page returned to the
+# If set to 'off' or '0', the eCAP service is treated as essential
+# and all eCAP errors will result in an error page returned to the
# HTTP client.
-# service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
+#
+# Bypass is off by default: services are treated as essential.
+#
+# routing=on|off|1|0
+# If set to 'on' or '1', the eCAP service is allowed to
+# dynamically change the current message adaptation plan by
+# returning a chain of services to be used next.
+#
+# Dynamic adaptation plan may cross or cover multiple supported
+# vectoring points in their natural processing order.
+#
+# Routing is not allowed by default.
+#
+# Older ecap_service format without optional named parameters is
+# deprecated but supported for backward compatibility.
+#
#
#Example:
-#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
-#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
#Default:
# none
@@ -5237,7 +6974,7 @@ refresh_pattern . 0 20% 4320
# TAG: adaptation_service_set
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap or --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
#
# Configures an ordered set of similar, redundant services. This is
@@ -5279,7 +7016,7 @@ refresh_pattern . 0 20% 4320
# TAG: adaptation_service_chain
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap or --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
#
# Configures a list of complementary services that will be applied
@@ -5317,7 +7054,7 @@ refresh_pattern . 0 20% 4320
# TAG: adaptation_access
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap or --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
#
@@ -5351,11 +7088,11 @@ refresh_pattern . 0 20% 4320
#Example:
#adaptation_access service_1 allow all
#Default:
-# none
+# Allow, unless rules exist in squid.conf.
# TAG: adaptation_service_iteration_limit
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap or --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
# Limits the number of iterations allowed when applying adaptation
# services to a message. If your longest adaptation set or chain
@@ -5372,7 +7109,7 @@ refresh_pattern . 0 20% 4320
# TAG: adaptation_masterx_shared_names
# Note: This option is only available if Squid is rebuilt with the
-# --enable-ecap or --enable-icap-client option
+# --enable-ecap or --enable-icap-client
#
# For each master transaction (i.e., the HTTP request and response
# sequence, including all related ICAP and eCAP exchanges), Squid
@@ -5385,8 +7122,14 @@ refresh_pattern . 0 20% 4320
#
# An ICAP REQMOD or RESPMOD transaction may set an entry in the
# shared table by returning an ICAP header field with a name
-# specified in adaptation_masterx_shared_names. Squid will store
-# and forward that ICAP header field to subsequent ICAP
+# specified in adaptation_masterx_shared_names.
+#
+# An eCAP REQMOD or RESPMOD transaction may set an entry in the
+# shared table by implementing the libecap::visitEachOption() API
+# to provide an option with a name specified in
+# adaptation_masterx_shared_names.
+#
+# Squid will store and forward the set entry to subsequent adaptation
# transactions within the same master transaction scope.
#
# Only one shared entry name is supported at this time.
@@ -5397,9 +7140,49 @@ refresh_pattern . 0 20% 4320
#Default:
# none
+# TAG: adaptation_meta
+# Note: This option is only available if Squid is rebuilt with the
+# --enable-ecap or --enable-icap-client
+#
+# This option allows Squid administrator to add custom ICAP request
+# headers or eCAP options to Squid ICAP requests or eCAP transactions.
+# Use it to pass custom authentication tokens and other
+# transaction-state related meta information to an ICAP/eCAP service.
+#
+# The addition of a meta header is ACL-driven:
+# adaptation_meta name value [!]aclname ...
+#
+# Processing for a given header name stops after the first ACL list match.
+# Thus, it is impossible to add two headers with the same name. If no ACL
+# lists match for a given header name, no such header is added. For
+# example:
+#
+# # do not debug transactions except for those that need debugging
+# adaptation_meta X-Debug 1 needs_debugging
+#
+# # log all transactions except for those that must remain secret
+# adaptation_meta X-Log 1 !keep_secret
+#
+# # mark transactions from users in the "G 1" group
+# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
+#
+# The "value" parameter may be a regular squid.conf token or a "double
+# quoted string". Within the quoted string, use backslash (\) to escape
+# any character, which is currently only useful for escaping backslashes
+# and double quotes. For example,
+# "this string has one backslash (\\) and two \"quotes\""
+#
+# Used adaptation_meta header values may be logged via %note
+# logformat code. If multiple adaptation_meta headers with the same name
+# are used during master transaction lifetime, the header values are
+# logged in the order they were used and duplicate values are ignored
+# (only the first repeated value will be logged).
+#Default:
+# none
+
# TAG: icap_retry
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
# This ACL determines which retriable ICAP transactions are
# retried. Transactions that received a complete ICAP response
@@ -5417,10 +7200,9 @@ refresh_pattern . 0 20% 4320
# TAG: icap_retry_limit
# Note: This option is only available if Squid is rebuilt with the
-# --enable-icap-client option
+# --enable-icap-client
#
-# Limits the number of retries allowed. When set to zero (default),
-# no retries are allowed.
+# Limits the number of retries allowed.
#
# Communication errors due to persistent connection race
# conditions are unavoidable, automatically retried, and do not
@@ -5428,7 +7210,7 @@ refresh_pattern . 0 20% 4320
#
# See also: icap_retry
#Default:
-# icap_retry_limit 0
+# No retries are allowed.
# DNS OPTIONS
# -----------------------------------------------------------------------------
@@ -5450,7 +7232,7 @@ refresh_pattern . 0 20% 4320
# TAG: cache_dns_program
# Note: This option is only available if Squid is rebuilt with the
-# --disable-internal-dns option
+# --disable-internal-dns
#
# Specify the location of the executable for dnslookup process.
#Default:
@@ -5458,21 +7240,38 @@ refresh_pattern . 0 20% 4320
# TAG: dns_children
# Note: This option is only available if Squid is rebuilt with the
-# --disable-internal-dns option
-#
-# The number of processes spawn to service DNS name lookups.
-# For heavily loaded caches on large servers, you should
-# probably increase this value to at least 10. The maximum
-# is 32. The default is 5.
+# --disable-internal-dns
#
-# You must have at least one dnsserver process.
+# The maximum number of processes spawn to service DNS name lookups.
+# If you limit it too few Squid will have to wait for them to process
+# a backlog of requests, slowing it down. If you allow too many they
+# will use RAM and other system resources noticably.
+# The maximum this may be safely set to is 32.
+#
+# The startup= and idle= options allow some measure of skew in your
+# tuning.
+#
+# startup=
+#
+# Sets a minimum of how many processes are to be spawned when Squid
+# starts or reconfigures. When set to zero the first request will
+# cause spawning of the first child process to handle it.
+#
+# Starting too few will cause an initial slowdown in traffic as Squid
+# attempts to simultaneously spawn enough processes to cope.
+#
+# idle=
+#
+# Sets a minimum of how many processes Squid is to try and keep available
+# at all times. When traffic begins to rise above what the existing
+# processes can handle this many more will be spawned up to the maximum
+# configured. A minimum setting of 1 is required.
#Default:
-# dns_children 5
+# dns_children 32 startup=1 idle=1
# TAG: dns_retransmit_interval
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
-#
#Default:
# dns_retransmit_interval 5 seconds
@@ -5481,7 +7280,31 @@ refresh_pattern . 0 20% 4320
# within this time all DNS servers for the queried domain
# are assumed to be unavailable.
#Default:
-# dns_timeout 2 minutes
+# dns_timeout 30 seconds
+
+# TAG: dns_packet_max
+# Maximum number of bytes packet size to advertise via EDNS.
+# Set to "none" to disable EDNS large packet support.
+#
+# For legacy reasons DNS UDP replies will default to 512 bytes which
+# is too small for many responses. EDNS provides a means for Squid to
+# negotiate receiving larger responses back immediately without having
+# to failover with repeat requests. Responses larger than this limit
+# will retain the old behaviour of failover to TCP DNS.
+#
+# Squid has no real fixed limit internally, but allowing packet sizes
+# over 1500 bytes requires network jumbogram support and is usually not
+# necessary.
+#
+# WARNING: The RFC also indicates that some older resolvers will reply
+# with failure of the whole request if the extension is added. Some
+# resolvers have already been identified which will reply with mangled
+# EDNS response on occasion. Usually in response to many-KB jumbogram
+# sizes being advertised by Squid.
+# Squid will currently treat these both as an unable-to-resolve domain
+# even if it would be resolvable without EDNS.
+#Default:
+# EDNS disabled
# TAG: dns_defnames on|off
# Normally the RES_DEFNAMES resolver option is disabled
@@ -5489,12 +7312,21 @@ refresh_pattern . 0 20% 4320
# from interpreting single-component hostnames locally. To allow
# Squid to handle single-component names, enable this option.
#Default:
-# dns_defnames off
+# Search for single-label domain names is disabled.
+
+# TAG: dns_multicast_local on|off
+# When set to on, Squid sends multicast DNS lookups on the local
+# network for domains ending in .local and .arpa.
+# This enables local servers and devices to be contacted in an
+# ad-hoc or zero-configuration network environment.
+#Default:
+# Search for .local and .arpa names is disabled.
# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
+#
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
@@ -5502,7 +7334,7 @@ refresh_pattern . 0 20% 4320
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#Default:
-# none
+# Use operating system definitions
# TAG: hosts_file
# Location of the host-local IP name-address associations
@@ -5541,7 +7373,7 @@ refresh_pattern . 0 20% 4320
#Example:
# append_domain .yourdomain.com
#Default:
-# none
+# Use operating system definitions
# TAG: ignore_unknown_nameservers
# By default Squid checks that DNS responses are received
@@ -5552,23 +7384,6 @@ refresh_pattern . 0 20% 4320
#Default:
# ignore_unknown_nameservers on
-# TAG: dns_v4_fallback
-# Standard practice with DNS is to lookup either A or AAAA records
-# and use the results if it succeeds. Only looking up the other if
-# the first attempt fails or otherwise produces no results.
-#
-# That policy however will cause squid to produce error pages for some
-# servers that advertise AAAA but are unreachable over IPv6.
-#
-# If this is ON squid will always lookup both AAAA and A, using both.
-# If this is OFF squid will lookup AAAA and only try A if none found.
-#
-# WARNING: There are some possibly unwanted side-effects with this on:
-# *) Doubles the load placed by squid on the DNS network.
-# *) May negatively impact connection delay times.
-#Default:
-# dns_v4_fallback on
-
# TAG: dns_v4_first
# With the IPv6 Internet being as fast or faster than IPv4 Internet
# for most networks Squid prefers to contact websites over IPv6.
@@ -5585,6 +7400,7 @@ refresh_pattern . 0 20% 4320
# dns_v4_first off
# TAG: ipcache_size (number of entries)
+# Maximum number of DNS IP cache entries.
#Default:
# ipcache_size 1024
@@ -5605,6 +7421,31 @@ refresh_pattern . 0 20% 4320
# MISCELLANEOUS
# -----------------------------------------------------------------------------
+# TAG: configuration_includes_quoted_values on|off
+# Previous Squid versions have defined "quoted/string" as syntax for
+# ACL to signifiy the value is an included file containing values and
+# has treated the " characters in other places of the configuration file
+# as part of the parameter value it was used for.
+#
+# For compatibility with existing installations that behaviour
+# remains the default.
+#
+# If this directive is set to 'on', Squid will start parsing each
+# "quoted string" as a single configuration directive parameter. The
+# quotes are stripped before the parameter value is interpreted or use.
+#
+# That will continue for all lines until this directive is set to 'off',
+# where Squid will return to the default configuration parsing.
+#
+# For example;
+#
+# configuration_includes_quoted_values on
+# acl group external groupCheck Administrators "Internet Users" Guest
+# configuration_includes_quoted_values off
+#
+#Default:
+# configuration_includes_quoted_values off
+
# TAG: memory_pools on|off
# If set, Squid will keep pools of allocated (but unused) memory
# available for future use. If memory is a premium on your
@@ -5655,7 +7496,7 @@ refresh_pattern . 0 20% 4320
# X-Forwarded-For header.
#
# If set to "truncate", Squid will remove all existing
-# X-Forwarded-For entries, and place itself as the sole entry.
+# X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on
@@ -5718,7 +7559,7 @@ refresh_pattern . 0 20% 4320
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
#Default:
-# none
+# No password. Actions which require password are denied.
# TAG: client_db on|off
# If you want to disable collecting per-client statistics,
@@ -5749,19 +7590,22 @@ refresh_pattern . 0 20% 4320
#Default:
# reload_into_ims off
-# TAG: maximum_single_addr_tries
-# This sets the maximum number of connection attempts for a
-# host that only has one address (for multiple-address hosts,
-# each address is tried once).
+# TAG: connect_retries
+# This sets the maximum number of connection attempts made for each
+# TCP connection. The connect_retries attempts must all still
+# complete within the connection timeout period.
+#
+# The default is not to re-try if the first connection attempt fails.
+# The (not recommended) maximum is 10 tries.
#
-# The default value is one attempt, the (not recommended)
-# maximum is 255 tries. A warning message will be generated
-# if it is set to a value greater than ten.
+# A warning message will be generated if it is set to a too-high
+# value and the configured value will be over-ridden.
#
-# Note: This is in addition to the request re-forwarding which
-# takes place if Squid fails to get a satisfying response.
+# Note: These re-tries are in addition to forward_max_tries
+# which limit how many different addresses may be tried to find
+# a useful server.
#Default:
-# maximum_single_addr_tries 1
+# Do not retry failed connections.
# TAG: retry_on_error
# If set to ON Squid will automatically retry requests when
@@ -5794,20 +7638,32 @@ refresh_pattern . 0 20% 4320
# URI. Options:
#
# strip: The whitespace characters are stripped out of the URL.
-# This is the behavior recommended by RFC2396.
+# This is the behavior recommended by RFC2396 and RFC3986
+# for tolerant handling of generic URI.
+# NOTE: This is one difference between generic URI and HTTP URLs.
+#
# deny: The request is denied. The user receives an "Invalid
# Request" message.
+# This is the behaviour recommended by RFC2616 for safe
+# handling of HTTP request URL.
+#
# allow: The request is allowed and the URI is not changed. The
# whitespace characters remain in the URI. Note the
# whitespace is passed to redirector processes if they
# are in use.
+# Note this may be considered a violation of RFC2616
+# request parsing where whitespace is prohibited in the
+# URL field.
+#
# encode: The request is allowed and the whitespace characters are
-# encoded according to RFC1738. This could be considered
-# a violation of the HTTP/1.1
-# RFC because proxies are not allowed to rewrite URI's.
+# encoded according to RFC1738.
+#
# chop: The request is allowed and the URI is chopped at the
-# first whitespace. This might also be considered a
-# violation.
+# first whitespace.
+#
+#
+# NOTE the current Squid implementation of encode and chop violates
+# RFC2616 by not using a 301 redirect after altering the URL.
#Default:
# uri_whitespace strip
@@ -5834,23 +7690,28 @@ refresh_pattern . 0 20% 4320
# balance_on_multiple_ip off
# TAG: pipeline_prefetch
-# To boost the performance of pipelined requests to closer
-# match that of a non-proxied environment Squid can try to fetch
-# up to two requests in parallel from a pipeline.
-#
-# Defaults to off for bandwidth management and access logging
+# HTTP clients may send a pipeline of 1+N requests to Squid using a
+# single connection, without waiting for Squid to respond to the first
+# of those requests. This option limits the number of concurrent
+# requests Squid will try to handle in parallel. If set to N, Squid
+# will try to receive and process up to 1+N requests on the same
+# connection concurrently.
+#
+# Defaults to 0 (off) for bandwidth management and access logging
# reasons.
#
+# NOTE: pipelining requires persistent connections to clients.
+#
# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
#Default:
-# pipeline_prefetch off
+# Do not pre-parse pipelined requests.
# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
# Squid prints a WARNING with debug level 0 to get the
# administrators attention. The value is in milliseconds.
#Default:
-# high_response_time_warning 0
+# disabled.
# TAG: high_page_fault_warning
# If the one-minute average page fault rate exceeds this
@@ -5858,14 +7719,17 @@ refresh_pattern . 0 20% 4320
# the administrators attention. The value is in page faults
# per second.
#Default:
-# high_page_fault_warning 0
+# disabled.
# TAG: high_memory_warning
+# Note: This option is only available if Squid is rebuilt with the
+# GNU Malloc with mstats()
+#
# If the memory usage (as determined by mallinfo) exceeds
# this amount, Squid prints a WARNING with debug level 0 to get
# the administrators attention.
#Default:
-# high_memory_warning 0 KB
+# disabled.
# TAG: sleep_after_fork (microseconds)
# When this is set to a non-zero value, the main Squid process
@@ -5882,6 +7746,9 @@ refresh_pattern . 0 20% 4320
# sleep_after_fork 0
# TAG: windows_ipaddrchangemonitor on|off
+# Note: This option is only available if Squid is rebuilt with the
+# MS Windows
+#
# On Windows Squid by default will monitor IP address changes and will
# reconfigure itself after any detected event. This is very useful for
# proxies connected to internet with dial-up interfaces.
@@ -5891,13 +7758,49 @@ refresh_pattern . 0 20% 4320
#Default:
# windows_ipaddrchangemonitor on
+# TAG: eui_lookup
+# Whether to lookup the EUI or MAC address of a connected client.
+#Default:
+# eui_lookup on
+
# TAG: max_filedescriptors
-# The maximum number of filedescriptors supported.
+# Reduce the maximum number of filedescriptors supported below
+# the usual operating system defaults.
#
-# The default "0" means Squid inherits the current ulimit setting.
+# Remove from squid.conf to inherit the current ulimit setting.
#
# Note: Changing this requires a restart of Squid. Also
-# not all comm loops supports large values.
+# not all I/O types supports large values (eg on Windows).
+#Default:
+# Use operating system limits set by ulimit.
+
+# TAG: workers
+# Number of main Squid processes or "workers" to fork and maintain.
+# 0: "no daemon" mode, like running "squid -N ..."
+# 1: "no SMP" mode, start one main Squid process daemon (default)
+# N: start N main Squid process daemons (i.e., SMP mode)
+#
+# In SMP mode, each worker does nearly all what a single Squid daemon
+# does (e.g., listen on http_port and forward HTTP requests).
+#Default:
+# SMP support disabled.
+
+# TAG: cpu_affinity_map
+# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
+#
+# Sets 1:1 mapping between Squid processes and CPU cores. For example,
+#
+# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
+#
+# affects processes 1 through 4 only and places them on the first
+# four even cores, starting with core #1.
+#
+# CPU cores are numbered starting from 1. Requires support for
+# sched_getaffinity(2) and sched_setaffinity(2) system calls.
+#
+# Multiple cpu_affinity_map options are merged.
+#
+# See also: workers
#Default:
-# max_filedescriptors 0
+# Let operating system decide.