Thread: Squid and squidguard not working, proxy refusing connections
hey everyone,
have been beating head past week trying dns server school doesn't have money pay filtering service. admit novice linux did best of reading , learning squid , squidguard install , configure it.
feel confident installation of both squid , squidguard, did not receive errors installation, squid not seem working.
firefox keeps telling me proxy server refusing connections, feel it's more of issue of squid not running. curious thing in terminal type sudo service squid3 start , line of running , process number. whe use command sudo service squid3 status, shows squid has been stopped.
have attached conf squid , squidguard. let me know if there else can post better idea of what's missing. hope close getting done, feel i'm close i'm missing something.
thank in advance,
jonathan
sorry! realized this:
squid.conf
code:welcome squid 3.1.19 # ---------------------------- # # this documentation squid configuration file. # this documentation can found online at: # http://www.squid-cache.org/doc/config/ # # you may wish @ squid home page , wiki # faq , other documentation: # http://www.squid-cache.org/ # http://wiki.squid-cache.org/squidfaq # http://wiki.squid-cache.org/configexamples # # this documentation shows defaults various directives # happen be. if don't need change default, should # leave line out of squid.conf in cases. # # in cases "none" refers no default setting @ all, # while in other cases refers value of option # - comments keyword indicate if case. # # configuration options can included using "include" directive. # include takes list of files include. quoting , wildcards # supported. # # example, # # include /path/to/included/file/squid.acl.config # # includes can nested hard-coded depth of 16 levels. # arbitrary restriction prevent recursive include references # causing squid entering infinite loop whilst trying load # configuration files. # tag: dns_testnames # remove line. dns no longer tested on startup. #default: # none # tag: extension_methods # remove line. valid methods http accepted default. #default: # none # tag: incoming_rate #default: # none # tag: server_http11 # remove line. http/1.1 supported default. #default: # none # tag: upgrade_http0.9 # remove line. icy/1.0 streaming protocol supported default. #default: # none # tag: zph_local # alter these entries. use qos_flows directive instead. #default: # none # tag: header_access # since squid-3.0 replace request_header_access or reply_header_access # depending on whether wish match client requests or server replies. #default: # none # tag: httpd_accel_no_pmtu_disc # since squid-3.0 use 'disable-pmtu-discovery' flag on http_port instead. #default: # none # options authentication # ----------------------------------------------------------------------------- # tag: auth_param # this used define parameters various authentication # schemes supported squid. # # format: auth_param scheme parameter [setting] # # the order in authentication schemes presented client # dependent on order scheme first appears in config file. ie # has bug (it's not rfc 2617 compliant) in use basic # scheme if basic first entry presented, if more secure # schemes presented. use order in recommended # settings section below. if other browsers have difficulties (don't # recognize schemes offered if using basic) either # put basic first, or disable other schemes (by commenting out # program entry). # # once authentication scheme configured, can # shutdown shutting squid down , restarting. changes can made on # the fly , activated reconfigure. i.e. can change # different helper, not unconfigure helper completely. # # please note while directive defines how squid processes # authentication not automatically activate authentication. # to use authentication must in addition make use of acls based # on login name in http_access (proxy_auth, proxy_auth_regex or # external %login used in format tag). browser # challenged authentication on first such acl encountered # in http_access processing , re-challenged new # login credentials if request being denied proxy_auth # type acl. # # warning: authentication can't used in transparently intercepting # proxy client thinks talking origin server , # not proxy. limitation of bending tcp/ip protocol # transparently intercepting port 80, not limitation in squid. # ports flagged 'transparent', 'intercept', or 'tproxy' have # authentication disabled. # # === parameters basic scheme follow. === # # "program" cmdline # specify command external authenticator. such program # reads line containing "username password" , replies "ok" or # "err" in endless loop. "err" responses may optionally followed # by error description available %m in returned error page. # if use authenticator, make sure have 1 acl of type # proxy_auth. # # by default, basic authentication scheme not used unless # program specified. # # if want use traditional ncsa proxy authentication, set # this line # # auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd # # "utf8" on|off # http uses iso-latin-1 characterset, while authentication # backends such ldap expects utf-8. if set on squid # translate http iso-latin-1 charset utf-8 before sending # username & password helper. # # "children" numberofchildren # the number of authenticator processes spawn. if start few # squid have wait them process backlog of credential # verifications, slowing down. when password verifications # done via (slow) network need lots of # authenticator processes. # auth_param basic children 5 # # "concurrency" concurrency # the number of concurrent requests helper can process. # the default of 0 used helpers supports # one request @ time. setting changes protocol used # include channel number first on request/response line, allowing # multiple requests sent same helper in parallell without # wating response. # must not set unless it's known helper supports this. # auth_param basic concurrency 0 # # "realm" realmstring # specifies realm name reported # client basic proxy authentication scheme (part of # the text user see when prompted username , # password). there no default. # auth_param basic realm squid proxy-caching web server # # "credentialsttl" timetolive # specifies how long squid assumes externally validated # username:password pair valid - in other words how # often helper program called user. set # low force revalidation short lived passwords. note # setting high not impact susceptibility # to replay attacks unless using one-time password # system (such secureid). if using such system, # you vulnerable replay attacks unless # use max_user_ip acl in http_access rule. # # "casesensitive" on|off # specifies if usernames case sensitive. user databases # case insensitive allowing same username spelled using both # lower , upper case letters, case sensitive. # makes big difference user_max_ip acl processing , similar. # auth_param basic casesensitive off # # === parameters digest scheme follow === # # "program" cmdline # specify command external authenticator. such # a program reads line containing "username":"realm" , # replies appropriate h(a1) value hex encoded or # err if user (or h(a1) hash) not exists. # see rfc 2616 definition of h(a1). # "err" responses may optionally followed error description # available %m in returned error page. # # by default, digest authentication scheme not used unless # program specified. # # if want use digest authenticator, set line # something # # auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass # # "utf8" on|off # http uses iso-latin-1 characterset, while authentication # backends such ldap expects utf-8. if set on squid # translate http iso-latin-1 charset utf-8 before sending # username & password helper. # # "children" numberofchildren # the number of authenticator processes spawn (no default). # if start few squid have wait them # process backlog of h(a1) calculations, slowing down. # when h(a1) calculations done via (slow) network # you need lots of authenticator processes. # auth_param digest children 5 # # "realm" realmstring # specifies realm name reported # client digest proxy authentication scheme (part of # the text user see when prompted username , # password). there no default. # auth_param digest realm squid proxy-caching web server # # "nonce_garbage_interval" timeinterval # specifies interval nonces have been issued # to client_agent's checked validity. # # "nonce_max_duration" timeinterval # specifies maximum length of time given nonce # valid for. # # "nonce_max_count" number # specifies maximum number of times given nonce can # used. # # "nonce_strictness" on|off # determines if squid requires strict increment-by-1 behavior # for nonce counts, or incrementing (off - use when # useragents generate nonce counts miss 1 # (ie, 1,2,4,6)). default off. # # "check_nonce_count" on|off # this directive if set off can disable nonce count check # completely work around buggy digest qop implementations in # certain mainstream browser versions. default on check # nonce count protect authentication replay attacks. # # "post_workaround" on|off # this workaround buggy browsers sends # an incorrect request digest in post requests when reusing # the same nonce acquired earlier on request. # # === ntlm scheme options follow === # # "program" cmdline # specify command external ntlm authenticator. # such program reads exchanged ntlmssp packets # the browser via squid until authentication completed. # if use ntlm authenticator, make sure have 1 acl # of type proxy_auth. default, ntlm authenticator_program # is not used. # # auth_param ntlm program /usr/lib/squid3/ntlm_auth # # "children" numberofchildren # the number of authenticator processes spawn (no default). # if start few squid have wait them # process backlog of credential verifications, slowing # down. when credential verifications done via (slow) # network need lots of authenticator # processes. # # auth_param ntlm children 5 # # "keep_alive" on|off # whether keep connection open after initial response # squid tells browser schemes supported proxy. # some browsers known present many login popups or corrupt # post/put requests transfer if connection not closed. # the default off avoid this, may change. # # auth_param ntlm keep_alive on # # === options configuring negotiate auth-scheme follow === # # "program" cmdline # specify command external negotiate authenticator. # this protocol used in microsoft active-directory enabled setups # the microsoft internet explorer or mozilla firefox browsers. # its main purpose exchange credentials squid proxy # using kerberos mechanisms. # if use negotiate authenticator, make sure have @ least # one acl of type proxy_auth active. default, negotiate # authenticator_program not used. # the supported program role ntlm_auth # program distributed part of samba, version 4 or later. # # auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego # # "children" numberofchildren # the number of authenticator processes spawn (no default). # if start few squid have wait them # process backlog of credential verifications, slowing # down. when crendential verifications done via (slow) # network need lots of authenticator # processes. # auth_param negotiate children 5 # # "keep_alive" on|off # whether keep connection open after initial response # squid tells browser schemes supported proxy. # some browsers known present many login popups or corrupt # post/put requests transfer if connection not closed. # the default off avoid this, may change. # # auth_param negotiate keep_alive on # # # examples: # ##recommended minimum configuration per scheme: ##auth_param negotiate program <uncomment , complete line activate> ##auth_param negotiate children 5 ##auth_param negotiate keep_alive on ## ##auth_param ntlm program <uncomment , complete line activate> ##auth_param ntlm children 5 ##auth_param ntlm keep_alive on ## ##auth_param digest program <uncomment , complete line> ##auth_param digest children 5 ##auth_param digest realm squid proxy-caching web server ##auth_param digest nonce_garbage_interval 5 minutes ##auth_param digest nonce_max_duration 30 minutes ##auth_param digest nonce_max_count 50 ## ##auth_param basic program <uncomment , complete line> ##auth_param basic children 5 ##auth_param basic realm squid proxy-caching web server ##auth_param basic credentialsttl 2 hours #default: # none # tag: authenticate_cache_garbage_interval # the time period between garbage collection across username cache. # this tradeoff between memory utilization (long intervals - # 2 days) , cpu (short intervals - 1 minute). change if # have reason to. #default: # authenticate_cache_garbage_interval 1 hour # tag: authenticate_ttl # the time user & credentials stay in logged in # user cache since last request. when garbage # interval passes, user credentials have passed # ttl removed memory. #default: # authenticate_ttl 1 hour # tag: authenticate_ip_ttl # if use proxy authentication , 'max_user_ip' acl, # this directive controls how long squid remembers ip # addresses associated each user. use small value # (e.g., 60 seconds) if users might change addresses # quickly, case dialups. might safe # using larger value (e.g., 2 hours) in corporate lan # environment relatively static address assignments. #default: # authenticate_ip_ttl 0 seconds # access controls # ----------------------------------------------------------------------------- # tag: external_acl_type # this option defines external acl classes using helper program # to status # # external_acl_type name [options] format.. /path/to/helper [helper arguments..] # # options: # # ttl=n ttl in seconds cached results (defaults 3600 # for 1 hour) # negative_ttl=n # ttl cached negative lookups (default same # as ttl) # children=n number of acl helper processes spawn service # external acl lookups of type. (default 5) # concurrency=n concurrency level per process. used helpers # capable of processing more 1 query @ time. # cache=n result cache size, 0 unbounded (default) # grace=n percentage remaining of ttl refresh of # cached entry should initiated without needing # wait new reply. (default 0 no grace period) # protocol=2.5 compatibility mode squid-2.5 external acl helpers # ipv4 / ipv6 ip-mode used communicate helper. # for compatability older configurations , helpers # the default 'ipv4'. # # format specifications # # %login authenticated user login name # %ext_user username external acl # %ident ident user name # %src client ip # %srcport client source port # %uri requested uri # %dst requested host # %proto requested protocol # %port requested port # %path requested url path # %method request method # %myaddr squid interface address # %myport squid http_port number # %path requested url-path (including query-string if any) # %user_cert ssl user certificate in pem format # %user_certchain ssl user certificate chain in pem format # %user_cert_xx ssl user certificate subject attribute xx # %user_ca_xx ssl user certificate issuer attribute xx # # %>{header} http request header "header" # %>{hdr:member} # http request header "hdr" list member "member" # %>{hdr:;member} # http request header list member using ; # list separator. ; can non-alphanumeric # character. # # %<{header} http reply header "header" # %<{hdr:member} # http reply header "hdr" list member "member" # %<{hdr:;member} # http reply header list member using ; # list separator. ; can non-alphanumeric # character. # # %% the percent sign. useful helpers need # an unchanging input format. # # in addition above, string specified in referencing # acl included in helper request line, after # specified formats (see "acl external" directive) # # the helper receives lines per above format specification, # and returns lines starting ok or err indicating validity # of request , optionally followed additional keywords # more details. # # general result syntax: # # ok/err keyword=value ... # # defined keywords: # # user= the users name (login) # password= the users password (for login= cache_peer option) # message= message describing reason. available %o # in error pages # tag= apply tag request (for both err , ok results) # only sets tag, not alter existing tags. # log= string logged in access.log. available # %ea in logformat specifications # # if protocol=3.0 (the default) url escaping used protect # each value in both requests , responses. # # if using protocol=2.5 values need enclosed in quotes # if may contain whitespace, or whitespace escaped using \. # and quotes or \ characters within keyword value must \ escaped. # # when using concurrency= option protocol changed # introducing query channel tag infront of request/response. # the query channel tag number between 0 , concurrency-1. #default: # none # tag: acl # defining access list # # every access list definition must begin aclname , acltype, # followed either type-specific arguments or quoted filename # they read from. # # acl aclname acltype argument ... # acl aclname acltype "file" ... # # when using "file", file should contain 1 item per line. # # by default, regular expressions case-sensitive. # to make them case-insensitive, use -i option. return case-sensitive # use +i option between patterns, or make new acl line without -i. # # some acl types require suspending current request in order # to access external data source. # those marked tag [slow], # don't marked [fast]. # see http://wiki.squid-cache.org/squidfaq/squidacl # for further information # # ***** acl types available ***** # # acl aclname src ip-address/netmask ... # clients ip address [fast] # acl aclname src addr1-addr2/netmask ... # range of addresses [fast] # acl aclname dst ip-address/netmask ... # url host's ip address [slow] # acl aclname myip ip-address/netmask ... # local socket ip address [fast] # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # # arp acl requires special configure option --enable-arp-acl. # # furthermore, arp acl code not portable operating systems. # # works on linux, solaris, windows, freebsd, , # # other *bsd variants. # # [fast] # # # # note: squid can determine mac address clients on # # same subnet. if client on different subnet, # # squid cannot find out mac address. # # acl aclname srcdomain .foo.com ... # # reverse lookup, client ip [slow] # acl aclname dstdomain .foo.com ... # # destination server url [fast] # acl aclname srcdom_regex [-i] \.foo\.com ... # # regex matching client name [slow] # acl aclname dstdom_regex [-i] \.foo\.com ... # # regex matching server [fast] # # # # dstdomain , dstdom_regex reverse lookup tried if ip # # based url used , no match found. name "none" used # # if reverse lookup fails. # # acl aclname src_as number ... # acl aclname dst_as number ... # # [fast] # # except access control, numbers can used # # routing of requests specific caches. here's # # example routing requests as#1241 , # # mycache.mydomain.net: # # acl asexample dst_as 1241 # # cache_peer_access mycache.mydomain.net allow asexample # # cache_peer_access mycache_mydomain.net deny # # acl aclname peername mypeer ... # # [fast] # # match against named cache_peer entry # # set unique name= on cache_peer lines reliable use. # # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # # [fast] # # day-abbrevs: # # s - sunday # # m - monday # # t - tuesday # # w - wednesday # # h - thursday # # f - friday # # a - saturday # # h1:m1 must less h2:m2 # # acl aclname url_regex [-i] ^http:// ... # # regex matching on whole url [fast] # acl aclname urlpath_regex [-i] \.gif$ ... # # regex matching on url path [fast] # # acl aclname port 80 70 21 0-1024... # destination tcp port [fast] # # ranges alloed # acl aclname myport 3128 ... # local socket tcp port [fast] # acl aclname myportname 3128 ... # http(s)_port name [fast] # # acl aclname proto http ftp ... # request protocol [fast] # # acl aclname method post ... # http request method [fast] # # acl aclname http_status 200 301 500- 400-403 ... # # status code in reply [fast] # # acl aclname browser [-i] regexp ... # # pattern match on user-agent header (see req_header below) [fast] # # acl aclname referer_regex [-i] regexp ... # # pattern match on referer header [fast] # # referer highly unreliable, use care # # acl aclname ident username ... # acl aclname ident_regex [-i] pattern ... # # string match on ident output [slow] # # use required accept non-null ident. # # acl aclname proxy_auth [-i] username ... # acl aclname proxy_auth_regex [-i] pattern ... # # perform http authentication challenge client , match against # # supplied credentials [slow] # # # # takes list of allowed usernames. # # use required accept valid username. # # # # use proxy authentication in forward-proxy scenarios, , plain # # http authenticaiton in reverse-proxy scenarios # # # # note: when proxy-authentication header sent not # # needed during acl checking username not logged # # in access.log. # # # # note: proxy_auth requires external authentication program # # check username/password combinations (see # # auth_param directive). # # # # note: proxy_auth can't used in transparent/intercepting proxy # # browser needs configured using proxy in order # # respond proxy authentication. # # acl aclname snmp_community string ... # # community string limit access snmp agent [fast] # # example: # # # # acl snmppublic snmp_community public # # acl aclname maxconn number # # matched when client's ip address has # # more <number> tcp connections established. [fast] # # note: measures direct tcp links x-forwarded-for # # indirect clients not counted. # # acl aclname max_user_ip [-s] number # # matched when user attempts log in more # # <number> different ip addresses. authenticate_ip_ttl # # parameter controls timeout on ip entries. [fast] # # if -s specified limit strict, denying browsing # # further ip addresses until ttl has expired. without # # -s squid annoy user "randomly" denying requests. # # (the counter reset each time limit reached , # # request denied) # # note: in acceleration mode or there mesh of child proxies, # # clients may appear come multiple addresses if # # going through proxy farms, limit of 1 may cause user problems. # # acl aclname req_mime_type [-i] mime-type ... # # regex match against mime type of request generated # # client. can used detect file upload or # # types http tunneling requests [fast] # # note: not match reply. cannot use # # match returned file type. # # acl aclname req_header header-name [-i] any\.regex\.here # # regex match against of known request headers. may # # thought of superset of "browser", "referer" , "mime-type" # # acl [fast] # # acl aclname rep_mime_type [-i] mime-type ... # # regex match against mime type of reply received # # squid. can used detect file download or # # types http tunneling requests. [fast] # # note: has no effect in http_access rules. has # # effect in rules affect reply data stream such # # http_reply_access. # # acl aclname rep_header header-name [-i] any\.regex\.here # # regex match against of known reply headers. may # # thought of superset of "browser", "referer" , "mime-type" # # acls [fast] # # acl aclname external class_name [arguments...] # # external acl lookup via helper class defined # # external_acl_type directive [slow] # # acl aclname user_cert attribute values... # # match against attributes in user ssl certificate # # attribute 1 of dn/c/o/cn/l/st [fast] # # acl aclname ca_cert attribute values... # # match against attributes users issuing ca ssl certificate # # attribute 1 of dn/c/o/cn/l/st [fast] # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... # # string match on username returned external acl helper [slow] # # use required accept non-null user name. # # acl aclname tag tagvalue ... # # string match on tag returned external acl helper [slow] # # examples: # acl macaddress arp 09:00:2b:23:45:67 # acl myexample dst_as 1241 # acl password proxy_auth required # acl fileupload req_mime_type -i ^multipart/form-data$ # acl javascript rep_mime_type -i ^application/x-javascript$ # #default: # acl src # # # recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # example rule allowing access local networks. # adapt list (internal) ip networks browsing # should allowed #acl localnet src 10.0.0.0/8 # rfc1918 possible internal network #acl localnet src 172.16.0.0/12 # rfc1918 possible internal network #acl localnet src 192.168.0.0/16 # rfc1918 possible internal network #acl localnet src fc00::/7 # rfc 4193 local private network range #acl localnet src fe80::/10 # rfc 4291 link-local (directly plugged) machines #jonathan work acl localnet src 192.168.0.0/16 acl ssl_ports port 443 acl safe_ports port 80 # http acl safe_ports port 21 # ftp acl safe_ports port 443 # https acl safe_ports port 70 # gopher acl safe_ports port 210 # wais acl safe_ports port 1025-65535 # unregistered ports acl safe_ports port 280 # http-mgmt acl safe_ports port 488 # gss-http acl safe_ports port 591 # filemaker acl safe_ports port 777 # multiling http acl connect method connect # tag: follow_x_forwarded_for # allowing or denying x-forwarded-for header followed # find original source of request. # # requests may pass through chain of several other proxies # before reaching us. x-forwarded-for header contain # comma-separated list of ip addresses in chain, # rightmost address being recent. # # if request reaches source allowed # configuration item, consult x-forwarded-for header # to see host received request from. if # x-forwarded-for header contains multiple addresses, continue # backtracking until reach address not allowed # to follow x-forwarded-for header, or until reach first # address in list. purpose of acl used in # follow_x_forwarded_for directive src acl type matches # the address testing , srcdomain matches rdns. # # the end result of process ip address # refer indirect client address. address may # be treated client address access control, icap, delay # pools , logging, depending on acl_uses_indirect_client, # icap_uses_indirect_client, delay_pool_uses_indirect_client , # log_uses_indirect_client options. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # # security considerations: # # any host follow x-forwarded-for header # can place incorrect information in header, , squid # will use incorrect information if # source address of request. may enable remote # hosts bypass access control restrictions # based on client's source addresses. # # for example: # # acl localhost src 127.0.0.1 # acl my_other_proxy srcdomain .proxy.example.com # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy #default: # follow_x_forwarded_for deny # tag: acl_uses_indirect_client on|off # controls whether indirect client address # (see follow_x_forwarded_for) used instead of # direct client address in acl matching. # # note: maxconn acl considers direct tcp links , indirect # clients have zero. no match. #default: # acl_uses_indirect_client on # tag: delay_pool_uses_indirect_client on|off # controls whether indirect client address # (see follow_x_forwarded_for) used instead of # direct client address in delay pools. #default: # delay_pool_uses_indirect_client on # tag: log_uses_indirect_client on|off # controls whether indirect client address # (see follow_x_forwarded_for) used instead of # direct client address in access log. #default: # log_uses_indirect_client on # tag: http_access # allowing or denying access based on defined access lists # # access http port: # http_access allow|deny [!]aclname ... # # note on default values: # # if there no "access" lines present, default deny # the request. # # if none of "access" lines cause match, default # opposite of last line in list. if last line # deny, default allow. conversely, if last line # is allow, default deny. these reasons, # good idea have "deny all" entry @ end of access # lists avoid potential confusion. # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # #default: http_access allow lanwork # http_access deny # # # recommended minimum access permission configuration: # # allow cachemgr access localhost http_access allow manager localhost http_access deny manager # deny requests unsafe ports http_access deny !safe_ports # deny connect other secure ssl ports http_access deny connect !ssl_ports # recommend following uncommented protect innocent # web applications running on proxy server think # 1 can access services on "localhost" local user #http_access deny to_localhost # # insert own rule(s) here allow access clients # # example rule allowing access local networks. # adapt localnet in acl section list (internal) ip networks # browsing should allowed #jonathan work, uncomment next line allows no filter http_access allow localnet #removes block site when uncommented http_access allow localhost # , deny other access proxy #http_access deny #http_access allow #jonathan work-another way remove filter on ln 845 uncommented; if active allow, comment out 849 deny # tag: adapted_http_access # allowing or denying access based on defined access lists # # essentially identical http_access, runs after redirectors # and icap/ecap adaptation. allowing access control based on # output. # # if not set http_access used. #default: # none # tag: http_reply_access # allow replies client requests. complementary http_access. # # http_reply_access allow|deny [!] aclname ... # # note: if there no access lines present, default allow # all replies # # if none of access lines cause match opposite of # last line apply. practice end rules # with "allow all" or "deny all" entry. # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # tag: icp_access # allowing or denying access icp port based on defined # access lists # # icp_access allow|deny [!]aclname ... # # see http_access details # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # ## allow icp queries local networks ##icp_access allow localnet ##icp_access deny #default: # icp_access deny # tag: htcp_access # allowing or denying access htcp port based on defined # access lists # # htcp_access allow|deny [!]aclname ... # # see http_access details # # note: default if no htcp_access lines present # deny traffic. default may cause problems peers # using htcp or htcp-oldsquid options. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # ## allow htcp queries local networks ##htcp_access allow localnet ##htcp_access deny #default: # htcp_access deny # tag: htcp_clr_access # allowing or denying access purge content using htcp based # on defined access lists # # htcp_clr_access allow|deny [!]aclname ... # # see http_access details # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # ## allow htcp clr requests trusted peers #acl htcp_clr_peer src 172.16.1.2 #htcp_clr_access allow htcp_clr_peer #default: # htcp_clr_access deny # tag: miss_access # determins whether network access permitted when satisfying request. # # for example; # force neighbors use sibling instead of # parent. # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # # this means local clients allowed fetch relayed/miss # replies network , other clients can fetch cached # objects (hits). # # # the default setting allows clients passed # http_access rules relay via proxy. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # miss_access allow # tag: ident_lookup_access # a list of acl elements which, if matched, cause ident # (rfc 931) lookup performed request. # example, might choose perform ident lookups # for main multi-user unix boxes, not macs # and pcs. default, ident lookups not performed # any requests. # # to enable ident lookups specific client addresses, # can follow example: # # acl ident_aware_hosts src 198.168.1.0/24 # ident_lookup_access allow ident_aware_hosts # ident_lookup_access deny # # only src type acl checks supported. srcdomain # acl might work @ times, not provide # the correct result. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # ident_lookup_access deny # tag: reply_body_max_size size [acl acl...] # this option specifies maximum size of reply body. can # used prevent users downloading large files, such # mp3's , movies. when reply headers received, # reply_body_max_size lines processed, , first line # all (if any) listed acls true used maximum body size # for reply. # # this size checked twice. first when reply headers, # we check content-length value. if content length value exists # and larger allowed size, request denied , # user receives error message says "the request or reply # is large." if there no content-length, , reply # size exceeds limit, client's connection closed # and receive partial reply. # # warning: downstream caches can not detect partial reply # if there no content-length header, cache # partial responses , give them out hits. should not # use option if have downstream caches. # # warning: maximum size smaller size of squid's error messages # will cause infinite loop , crash squid. ensure smallest # non-zero value use greater maximum header size plus # the size of largest error page. # # if set parameter none (the default), there # no limit imposed. # # configuration format is: # reply_body_max_size size units [acl ...] # ie. # reply_body_max_size 10 mb # #default: # none # network options # ----------------------------------------------------------------------------- # tag: http_port # usage: port [options] # hostname:port [options] # 1.2.3.4:port [options] # # the socket addresses squid listen http client # requests. may specify multiple socket addresses. # there 3 forms: port alone, hostname port, , # ip address port. if specify hostname or ip # address, squid binds socket specific # address. replaces old 'tcp_incoming_address' # option. likely, not need bind specific # address, can use port number alone. # # if running squid in accelerator mode, # probably want listen on port 80 also, or instead. # # the -a command line option may used specify additional # port(s) squid listens proxy request. such ports # be plain proxy ports no options. # # you may specify multiple socket addresses on multiple lines. # # options: # # intercept support ip-layer interception of # outgoing requests without browser settings. # np: disables authentication , ipv6 on port. # # tproxy support linux tproxy spoofing outgoing # connections using client ip address. # np: disables authentication , maybe ipv6 on port. # # accel accelerator mode. needs @ least 1 of # vhost / vport / defaultsite. # # allow-direct allow direct forwarding in accelerator mode. # accelerated requests denied direct forwarding if # never_direct used. # # defaultsite=domainname # what use host: header if not present # in request. determines site (not origin server) # accelerators should consider default. # implies accel. # # vhost accelerator mode using host header virtual domain support. # also uses port specified in host: header unless # overridden vport option. implies accel. # # vport virtual host port support. using http_port number # instead of port passed on host: headers. implies accel. # # vport=nn virtual host port support. using specified port # number instead of port passed on host: headers. # implies accel. # # protocol= protocol reconstruct accelerated requests with. # defaults http. # # ignore-cc ignore request cache-control headers. # # warning: option violates http specifications if # used in non-accelerator setups. # # connection-auth[=on|off] # use connection-auth=off tell squid prevent # forwarding microsoft connection oriented authentication # (ntlm, negotiate , kerberos) # # disable-pmtu-discovery= # control path-mtu discovery usage: # off lets os decide on (default). # transparent disable pmtu discovery when transparent # support enabled. # always disable pmtu discovery. # # in many setups of transparently intercepting proxies # path-mtu discovery can not work on traffic towards # clients. case when intercepting device # does not track connections , fails forward # icmp must fragment messages cache server. if # have such setup , experience clients # sporadically hang or never complete requests set # disable-pmtu-discovery option 'transparent'. # # ssl-bump intercept each connect request matching ssl_bump acl, # establish secure connection client , # the server, decrypt http messages pass through # squid, , treat them unencrypted http messages, # becoming man-in-the-middle. # # when option enabled, additional options become # available specify ssl-related properties of # client-side connection: cert, key, version, cipher, # options, clientca, cafile, capath, crlfile, dhparams, # sslflags, , sslcontext. see https_port directive # for more information on these options. # # the ssl_bump option required enable # the sslbump feature. # # name= specifies internal name port. defaults # the port specification (port or addr:port) # # tcpkeepalive[=idle,interval,timeout] # enable tcp keepalive probes of idle connections. # in seconds; idle initial time before tcp starts # probing connection, interval how probe, , # timeout time before giving up. # # if run squid on dual-homed machine internal # and external interface recommend specify # internal address:port in http_port. way squid # visible on internal address. # # # squid listens port 3128 http_port 3128 # tag: https_port # note: option available if squid rebuilt # --enable-ssl option # # usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] # # the socket address squid listen https client # requests. # # this useful situations running # squid in accelerator mode , want ssl work @ # accelerator level. # # you may specify multiple socket addresses on multiple lines, # each own ssl certificate and/or options. # # options: # # accel accelerator mode. needs @ least 1 of # defaultsite or vhost. # # defaultsite= the name of https site presented on # this port. implies accel. # # vhost accelerator mode using host header virtual # domain support. requires wildcard certificate # or other certificate valid more 1 domain. # implies accel. # # protocol= protocol reconstruct accelerated requests with. # defaults https. # # cert= path ssl certificate (pem format). # # key= path ssl private key file (pem format) # if not specified, certificate file # assumed combined certificate , # key file. # # version= the version of ssl/tls supported # 1 automatic (default) # 2 sslv2 # 3 sslv3 # 4 tlsv1 # # cipher= colon separated list of supported ciphers. # note: ciphers such edh ciphers depend on # additional settings. if settings # omitted ciphers may silently ignored # openssl library. # # options= various ssl engine options. important # being: # no_sslv2 disallow use of sslv2 # no_sslv3 disallow use of sslv3 # no_tlsv1 disallow use of tlsv1 # single_dh_use create new key when using # temporary/ephemeral dh key exchanges # see openssl ssl_ctx_set_options documentation # complete list of options. # # clientca= file containing list of cas use when # requesting client certificate. # # cafile= file containing additional ca certificates # use when verifying client certificates. if unset # clientca used. # # capath= directory containing additional ca certificates # and crl lists use when verifying client certificates. # # crlfile= file of additional crl lists use when verifying # the client certificate, in addition crls stored in # the capath. implies verify_crl flag below. # # dhparams= file containing dh parameters temporary/ephemeral # dh key exchanges. see openssl documentation details # on how create file. # warning: edh ciphers silently disabled if # option not set. # # sslflags= various flags modifying use of ssl: # delayed_auth # don't request client certificates # immediately, wait until acl processing # requires certificate (not yet implemented). # no_default_ca # don't use default ca lists built in # to openssl. # no_session_reuse # don't allow session reuse. each connection # will result in new ssl session. # verify_crl # verify crl lists when accepting client # certificates. # verify_crl_all # verify crl lists certificates in # client certificate chain. # # sslcontext= ssl session id context identifier. # # generate-host-certificates[=<on|off>] # dynamically create ssl server certificates # destination hosts of bumped connect requests.when # enabled, cert , key options used sign # generated certificates. otherwise generated # certificate selfsigned. # if there ca certificate life time of generated # certificate equals lifetime of ca certificate. if # generated certificate selfsigned lifetime 3 # years. # this option enabled default when sslbump used. # see sslbump option above more information. # # dynamic_cert_mem_cache_size=size # approximate total ram size spent on cached generated # certificates. if set zero, caching disabled. # default value 4mb. average xxx-bit certificate # consumes xxx bytes of ram. # # vport accelerator ip based virtual host support. # # vport=nn as above, uses specified port number rather # than https_port number. implies accel. # # name= specifies internal name port. defaults # the port specification (port or addr:port) # #default: # none # tag: tcp_outgoing_tos # allows select tos/diffserv value mark outgoing # connections with, based on username or source address # making request. # # tcp_outgoing_tos ds-field [!]aclname ... # # example normal_service_net uses tos value 0x00 # and good_service_net uses 0x20 # # acl normal_service_net src 10.0.0.0/24 # acl good_service_net src 10.0.1.0/24 # tcp_outgoing_tos 0x00 normal_service_net # tcp_outgoing_tos 0x20 good_service_net # # tos/dscp values have local significance - should # know you're specifying. more information, see rfc2474, # rfc2475, , rfc3260. # # the tos/dscp byte must - octet value 0 - 255, or # "default" use whatever default host has. note in # practice multiples of 4 usable 2 rightmost bits # have been redefined use ecn (rfc 3168 section 23.1). # # processing proceeds in order specified, , stops @ first # matching line. # # note: use of directive using client dependent acls # incompatible use of server side persistent connections. # ensure correct results best set server_persisten_connections # to off when using directive in such configurations. #default: # none # tag: clientside_tos # allows select tos/diffserv value mark client-side # connections with, based on username or source address # making request. #default: # none # tag: qos_flows # allows select tos/dscp value mark outgoing # connections with, based on reply sourced. # # tos values have local significance - should # know you're specifying. more information, see rfc2474, # rfc2475, , rfc3260. # # the tos/dscp byte must - octet value 0x00-0xff. # note in practice values 0x3f usable # as 2 highest bits have been redefined use ecn # (rfc3168). # # this setting configured setting source tos values: # # local-hit=0xff value mark local cache hits. # # sibling-hit=0xff value mark hits sibling peers. # # parent-hit=0xff value mark hits parent peers. # # # note: 'miss' preserve feature possible on linux @ time. # # for following work correctly, need patch # linux kernel tos preserving zph patch. # the kernel patch can downloaded http://zph.bratcheda.org # # disable-preserve-miss # by default, existing tos value of response coming # from remote server retained , masked # miss-mark. option disables feature. # # miss-mask=0xff # allows mask bits in tos received # remote server, before copying value tos sent # towards clients. # default: 0xff (tos server not changed). # #default: # none # tag: tcp_outgoing_address # allows map requests different outgoing ip addresses # based on username or source address of user making # the request. # # tcp_outgoing_address ipaddr [[!]aclname] ... # # example requests 10.0.0.0/24 forwarded # with source address 10.1.0.1, 10.0.2.0/24 forwarded # source address 10.1.0.2 , rest forwarded # source address 10.1.0.3. # # acl normal_service_net src 10.0.0.0/24 # acl good_service_net src 10.0.2.0/24 # tcp_outgoing_address 10.1.0.1 normal_service_net # tcp_outgoing_address 10.1.0.2 good_service_net # tcp_outgoing_address 10.1.0.3 # # processing proceeds in order specified, , stops @ first # matching line. # # note: use of directive using client dependent acls # incompatible use of server side persistent connections. # ensure correct results best set server_persistent_connections # to off when using directive in such configurations. # # # ipv6 magic: # # squid built capability of bridging ipv4 , ipv6 # internets. # tcp_outgoing_address exampled above breaks bridging forcing # all outbound traffic through ipv4 may on wrong # side of ipv4/ipv6 boundary. # # to operate tcp_outgoing_address , keep bridging benefits # an additional acl needs used ensures ipv6-bound traffic # is never forced or permitted out ipv4 interface. # # # ipv6 destination test along dummy access control perofrm required dns # # must place before allow rules. # acl to_ipv6 dst ipv6 # http_access deny ipv6 !all # # tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 # tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 # # tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 # tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 # # tcp_outgoing_address 2001:db8::1 to_ipv6 # tcp_outgoing_address 10.1.0.3 !to_ipv6 # # warning: # 'dst ipv6' bases selection assuming direct access. # if peers used peername acl needed select outgoing # address can link peer. # # 'dst ipv6' slow acl. work here if 'dst' used # in http_access rules locate destination ip. # more magic may needed that: # http_access allow to_ipv6 !all # (meaning, allow if ipv6 not anywhere ;) # #default: # none # ssl options # ----------------------------------------------------------------------------- # tag: ssl_unclean_shutdown # note: option available if squid rebuilt # --enable-ssl option # # some browsers (especially msie) bugs out on ssl shutdown # messages. #default: # ssl_unclean_shutdown off # tag: ssl_engine # note: option available if squid rebuilt # --enable-ssl option # # the openssl engine use. need set if # would use hardware ssl acceleration example. #default: # none # tag: sslproxy_client_certificate # note: option available if squid rebuilt # --enable-ssl option # # client ssl certificate use when proxying https:// urls #default: # none # tag: sslproxy_client_key # note: option available if squid rebuilt # --enable-ssl option # # client ssl key use when proxying https:// urls #default: # none # tag: sslproxy_version # note: option available if squid rebuilt # --enable-ssl option # # ssl version level use when proxying https:// urls #default: # sslproxy_version 1 # tag: sslproxy_options # note: option available if squid rebuilt # --enable-ssl option # # ssl engine options use when proxying https:// urls # # the important being: # # no_sslv2 disallow use of sslv2 # no_sslv3 disallow use of sslv3 # no_tlsv1 disallow use of tlsv1 # single_dh_use # always create new key when using # temporary/ephemeral dh key exchanges # # these options vary depending on ssl engine. # see openssl ssl_ctx_set_options documentation # complete list of possible options. #default: # none # tag: sslproxy_cipher # note: option available if squid rebuilt # --enable-ssl option # # ssl cipher list use when proxying https:// urls # # colon separated list of supported ciphers. #default: # none # tag: sslproxy_cafile # note: option available if squid rebuilt # --enable-ssl option # # file containing ca certificates use when verifying server # certificates while proxying https:// urls #default: # none # tag: sslproxy_capath # note: option available if squid rebuilt # --enable-ssl option # # directory containing ca certificates use when verifying # server certificates while proxying https:// urls #default: # none # tag: ssl_bump # note: option available if squid rebuilt # --enable-ssl option # # this acl controls connect requests http_port # marked sslbump flag "bumped". please # see sslbump flag of http_port option more details # about decoding proxied ssl connections. # # by default, no requests bumped. # # see also: http_port ssl-bump # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # # # # example: bump requests except originating localhost , # # going webax.com or example.com sites. # # acl localhost src 127.0.0.1/32 # acl broken_sites dstdomain .webax.com # acl broken_sites dstdomain .example.com # ssl_bump deny localhost # ssl_bump deny broken_sites # ssl_bump allow #default: # none # tag: sslproxy_flags # note: option available if squid rebuilt # --enable-ssl option # # various flags modifying use of ssl while proxying https:// urls: # dont_verify_peer accept certificates fail verification. # for refined control, see sslproxy_cert_error. # no_default_ca don't use default ca list built in # to openssl. #default: # none # tag: sslproxy_cert_error # note: option available if squid rebuilt # --enable-ssl option # # use acl bypass server certificate validation errors. # # for example, following lines bypass validation errors # when talking servers located @ 172.16.0.0/16. other # validation errors result in err_secure_connect_fail error. # # acl brokenserversattrustedip dst 172.16.0.0/16 # sslproxy_cert_error allow brokenserversattrustedip # sslproxy_cert_error deny # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # using slow acl types may result in server crashes # # without option, server certificate validation errors # terminate transaction. bypassing validation errors dangerous # because error implies server cannot trusted , # the connection may insecure. # # see also: sslproxy_flags , dont_verify_peer. # # default setting: sslproxy_cert_error deny #default: # none # tag: sslpassword_program # note: option available if squid rebuilt # --enable-ssl option # # specify program used entering ssl key passphrases # when using encrypted ssl certificate keys. if not specified # keys must either unencrypted, or squid started -n # option allow query interactively passphrase. # # the key file name given argument program allowing # selection of right password if have multiple encrypted # keys. #default: # none #options relating external ssl_crtd #----------------------------------------------------------------------------- # tag: sslcrtd_program # note: option available if squid rebuilt # -duse_ssl_crtd define # # specify location , options of executable ssl_crtd process. # /usr/lib/squid3/ssl_crtd program requires -s , -m parameters # for more information use: # /usr/lib/squid3/ssl_crtd -h #default: # sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -m 4mb # tag: sslcrtd_children # note: option available if squid rebuilt # -duse_ssl_crtd define # # the maximum number of processes spawn service ssl server. # the maximum may safely set 32. # # you must have @ least 1 ssl_crtd process. #default: # sslcrtd_children 5 # options affect neighbor selection algorithm # ----------------------------------------------------------------------------- # tag: cache_peer # to specify other caches in hierarchy, use format: # # cache_peer hostname type http-port icp-port [options] # # for example, # # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 default # cache_peer sib1.foo.net sibling 3128 3130 proxy-only # cache_peer sib2.foo.net sibling 3128 3130 proxy-only # cache_peer example.com parent 80 0 default # cache_peer cdn.example.com sibling 3128 0 # # type: either 'parent', 'sibling', or 'multicast'. # # proxy-port: the port number peer accept http requests. # for other squid proxies 3128 # for web servers 80 # # icp-port: used querying neighbor caches objects. # set 0 if peer not support icp or htcp. # see icp , htcp options below additional details. # # # ==== icp options ==== # # you must set icp_port , icp_access explicitly when using these options. # the defaults prevent peer traffic using icp. # # # no-query disable icp queries neighbor. # # multicast-responder # indicates named peer member of multicast group. # icp queries not sent directly peer, icp # replies accepted it. # # closest-only indicates that, icp_op_miss replies, we'll forward # closest_parent_misses , never first_parent_misses. # # background-ping # to send icp queries neighbor infrequently. # this used keep neighbor round trip time updated # and used in conjunction weighted-round-robin. # # # ==== htcp options ==== # # you must set htcp_port , htcp_access explicitly when using these options. # the defaults prevent peer traffic using htcp. # # # htcp send htcp, instead of icp, queries neighbor. # you want set "icp-port" 4827 # instead of 3130. # # htcp-oldsquid send htcp old squid versions. # # htcp-no-clr send htcp neighbor without # sending clr requests. cannot used # htcp-only-clr. # # htcp-only-clr send htcp neighbor clr requests. # this cannot used htcp-no-clr. # # htcp-no-purge-clr # send htcp neighbor including clrs when # they not result purge requests. # # htcp-forward-clr # forward htcp clr requests proxy receives peer. # # # ==== peer selection methods ==== # # the default peer selection method icp, first responding peer # being used source. these options can used better load balancing. # # # default this parent cache can used "last-resort" # if peer cannot located of peer-selection methods. # if specified more once, first used. # # round-robin load-balance parents should used in round-robin # fashion in absence of icp queries. # weight=n can used add bias. # # weighted-round-robin # load-balance parents should used in round-robin # fashion frequency of each parent being based on # round trip time. closer parents used more often. # usually used background-ping parents. # weight=n can used add bias. # # carp load-balance parents should used carp array. # the requests distributed among parents based on # carp load balancing hash function based on weight. # # userhash load-balance parents based on client proxy_auth or ident username. # # sourcehash load-balance parents based on client source ip. # # multicast-siblings # to used cache peers of type "multicast". # all members of multicast group have "sibling" # relationship it, not "parent". multicast # group when requested object fetched # a "parent" cache, anyway. it's useful, e.g., when # configuring pool of redundant squid proxies, being # members of same multicast group. # # # ==== peer selection options ==== # # weight=n use affect selection of peer during weighted # peer-selection mechanisms. # the weight must integer; default 1, # larger weights favored more. # this option not affect parent selection if peering # protocol not in use. # # basetime=n specify base amount subtracted round trip # times of parents. # it subtracted before division weight in calculating # which parent fectch from. if rtt less # base time rtt set minimal value. # # ttl=n specify ttl use when sending multicast icp queries # to address. # only useful when sending multicast group. # because don't accept icp replies random # hosts, must configure other group members # peers 'multicast-responder' option. # # no-delay to prevent access neighbor influencing # delay pools. # # digest-url=url tell squid fetch cache digest (if digests # enabled) host specified url rather # than squid default location. # # # ==== accelerator / reverse-proxy options ==== # # originserver causes parent contacted origin server. # meant used in accelerator setups when peer # is web server. # # forceddomain=name # set host header of requests forwarded peer. # useful in accelerator setups server (peer) # expects domain name clients may request # others. ie example.com or www.example.com # # no-digest disable request of cache digests. # # no-netdb-exchange # disables requesting icmp rtt database (netdb). # # # ==== authentication options ==== # # login=user:password # if personal/workgroup proxy , parent # requires proxy authentication. # # note: string can include url escapes (i.e. %20 # spaces). means % must written %%. # # login=proxypass # send login details received client peer. # authentication not required, nor changed. # # note: pass form of authentication # only basic auth work through proxy unless # connection-auth options used. # # login=pass send login details received client peer. # authentication not required option. # if there no client-provided authentication headers # to pass on, username , password available # from either proxy login or external acl user= , # password= result tags may sent instead. # # note: combine proxy_auth both proxies must # share same user database http allows # a single login (one proxy, 1 origin server). # also warned expose users proxy # password peer. use caution # # login=*:password # send username upstream cache, # fixed password. meant used when peer # is in administrative domain, still # needed identify each user. # the star can optionally followed # information added username. can # be used identify proxy peer, similar # the login=username:password option above. # # connection-auth=on|off # tell squid peer or not support microsoft # connection oriented authentication, , such # challenges received there should ignored. # default auto automatically determine status # of peer. # # # ==== ssl / https / tls options ==== # # ssl encrypt connections peer ssl/tls. # # sslcert=/path/to/ssl/certificate # a client ssl certificate use when connecting # this peer. # # sslkey=/path/to/ssl/key # the private ssl key corresponding sslcert above. # if 'sslkey' not specified 'sslcert' assumed # reference combined file containing both # certificate , key. # # notes: # # on debian/ubuntu systems default snakeoil certificate # available in /etc/ss , users can set: # # cert=/etc/ssl/certs/ssl-cert-snakeoil.pem # # and # # key=/etc/ssl/private/ssl-cert-snakeoil.key # # for testing. # # sslversion=1|2|3|4 # the ssl version use when connecting peer # 1 = automatic (default) # 2 = ssl v2 # 3 = ssl v3 # 4 = tls v1 # # sslcipher=... the list of valid ssl ciphers use when connecting # to peer. # # ssloptions=... specify various ssl engine options: # no_sslv2 disallow use of sslv2 # no_sslv3 disallow use of sslv3 # no_tlsv1 disallow use of tlsv1 # see src/ssl_support.c or openssl documentation # a more complete list. # # sslcafile=... a file containing additional ca certificates use # when verifying peer certificate. # # sslcapath=... a directory containing additional ca certificates # use when verifying peer certificate. # # sslcrlfile=... a certificate revocation list file use when # verifying peer certificate. # # sslflags=... specify various flags modifying ssl implementation: # # dont_verify_peer # accept certificates if fail # verify. # no_default_ca # don't use default ca list built in # to openssl. # dont_verify_domain # don't verify peer certificate # matches server name # # ssldomain= the peer name advertised in it's certificate. # used verifying correctness of received peer # certificate. if not specified peer hostname # used. # # front-end-https # enable "front-end-https: on" header needed when # using squid ssl frontend in front of microsoft owa. # see ms kb document q307347 details on header. # if set auto header added if # request forwarded https:// url. # # # ==== general options ==== # # connect-timeout=n # a peer-specific connect timeout. # also see peer_connect_timeout directive. # # connect-fail-limit=n # how many times connecting peer must fail before # it marked down. default 10. # # allow-miss disable squid's use of only-if-cached when forwarding # requests siblings. useful when # icp_hit_stale used sibling. extensive use # of option may result in forwarding loops, , # should avoid having two-way peerings option. # for example deny peer usage on requests peer # by denying cache_peer_access if source peer. # # max-conn=n limit amount of connections squid may open # peer. see # # name=xxx unique name peer. # required if have multiple peers on same host # but different ports. # this name can used in cache_peer_access , similar # directives dentify peer. # can used outgoing access controls through # peername acl type. # # no-tproxy do not use client-spoof tproxy support when forwarding # requests peer. use normal address selection instead. # # proxy-only objects fetched peer not stored locally. # #default: # none # tag: cache_peer_domain # use limit domains neighbor cache # queried. usage: # # cache_peer_domain cache-host domain [domain ...] # cache_peer_domain cache-host !domain # # for example, specifying # # cache_peer_domain parent.foo.net .edu # # has effect such udp query packets sent # 'bigserver' when requested object exists on # server in .edu domain. prefixing domainname # with '!' means cache queried objects # not in domain. # # note: * number of domains may given cache-host, # either on same or separate lines. # * when multiple domains given particular # cache-host, first matched domain applied. # * cache hosts no domain restrictions queried # requests. # * there no defaults. # * there 'cache_peer_access' tag in acl # section. #default: # none # tag: cache_peer_access # similar 'cache_peer_domain' provides more flexibility # using acl elements. # # cache_peer_access cache-host allow|deny [!]aclname ... # # the syntax identical 'http_access' , other lists of # acl elements. see comments 'http_access' below, or # the squid faq (http://wiki.squid-cache.org/squidfaq/squidacl). #default: # none # tag: neighbor_type_domain # usage: neighbor_type_domain neighbor parent|sibling domain domain ... # # modifying neighbor type specific domains # possible. can treat domains differently the # default neighbor type specified on 'cache_peer' line. # normally should necessary list domains # should treated differently because default neighbor type # applies hostnames not match domains listed here. # #example: # cache_peer cache.foo.org parent 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de #default: # none # tag: dead_peer_timeout (seconds) # this controls how long squid waits declare peer cache # as "dead." if there no icp replies received in # amount of time, squid declare peer dead , not # expect receive further icp replies. however, # continues send icp queries, , mark peer # alive upon receipt of first subsequent icp reply. # # this timeout affects when squid expects receive icp # replies peers. if more 'dead_peer' seconds have # passed since last icp reply received, squid not # expect receive icp reply on next query. thus, if # your time between requests greater timeout, # will see lot of requests sent direct origin servers # instead of parents. #default: # dead_peer_timeout 10 seconds # tag: forward_max_tries # controls how many different forward paths squid try # before giving up. see forward_timeout. #default: # forward_max_tries 10 # tag: hierarchy_stoplist # a list of words which, if found in url, cause object # be handled directly cache. in other words, use # to not query neighbor caches objects. may # list option multiple times. # # example: # hierarchy_stoplist cgi-bin ? # # note: never_direct overrides option. #default: # none # memory cache options # ----------------------------------------------------------------------------- # tag: cache_mem (bytes) # note: parameter not specify maximum process size. # it places limit on how additional memory squid # use memory cache of objects. squid uses memory other # things well. see squid faq section 8 details. # # 'cache_mem' specifies ideal amount of memory used # for: # * in-transit objects # * hot objects # * negative-cached objects # # data these objects stored in 4 kb blocks. # parameter specifies ideal upper limit on total size of # 4 kb blocks allocated. in-transit objects take highest # priority. # # in-transit objects have priority on others. when # additional space needed incoming data, negative-cached # and hot objects released. in other words, # negative-cached , hot objects fill unused space # not needed in-transit objects. # # if circumstances require, limit exceeded. # specifically, if incoming request rate requires more # 'cache_mem' of memory hold in-transit objects, squid # exceed limit satisfy new requests. when load # decreases, blocks freed until high-water mark # reached. thereafter, blocks used store hot # objects. #default: # cache_mem 256 mb # tag: maximum_object_size_in_memory (bytes) # objects greater size not attempted kept in # the memory cache. should set high enough keep objects # accessed in memory improve performance whilst low # enough keep larger objects hoarding cache_mem. #default: # maximum_object_size_in_memory 512 kb # tag: memory_replacement_policy # the memory replacement policy parameter determines # objects purged memory when memory space needed. # # see cache_replacement_policy details. #default: # memory_replacement_policy lru # disk cache options # ----------------------------------------------------------------------------- # tag: cache_replacement_policy # the cache replacement policy parameter determines # objects evicted (replaced) when disk space needed. # # lru : squid's original list based lru policy # heap gdsf : greedy-dual size frequency # heap lfuda: least used dynamic aging # heap lru : lru policy implemented using heap # # applies cache_dir lines listed below this. # # the lru policies keeps referenced objects. # # the heap gdsf policy optimizes object hit rate keeping smaller # popular objects in cache has better chance of getting # hit. achieves lower byte hit rate lfuda though since # it evicts larger (possibly popular) objects. # # the heap lfuda policy keeps popular objects in cache regardless of # their size , optimizes byte hit rate @ expense of # hit rate since 1 large, popular object prevent many # smaller, less popular objects being cached. # # both policies utilize dynamic aging mechanism prevents # cache pollution can otherwise occur frequency-based # replacement policies. # # note: if using lfuda replacement policy should increase # the value of maximum_object_size above default of 4096 kb # to maximize potential byte hit rate improvement of lfuda. # # for more information gdsf , lfuda cache replacement # policies see http://www.hpl.hp.com/techreports/1999/hpl-1999-69.html # and http://fog.hpl.external.hp.com/techreports/98/hpl-98-173.html. #default: # cache_replacement_policy lru # tag: cache_dir # usage: # # cache_dir type directory-name fs-specific-data [options] # # you can specify multiple cache_dir lines spread # cache among different disk partitions. # # type specifies kind of storage system use. "ufs" # is built default. enable of other storage systems # see --enable-storeio configure option. # # 'directory' top-level directory cache swap # files stored. if want use entire disk # for caching, can mount-point directory. # the directory must exist , writable squid # process. squid not create directory you. # # the ufs store type: # # "ufs" old well-known squid storage format has # been there. # # cache_dir ufs directory-name mbytes l1 l2 [options] # # 'mbytes' amount of disk space (mb) use under # directory. default 100 mb. change suit # configuration. not put size of disk drive here. # instead, if want squid use entire disk drive, # subtract 20% , use value. # # 'l1' number of first-level subdirectories # will created under 'directory'. default 16. # # 'l2' number of second-level subdirectories # will created under each first-level directory. default # is 256. # # the aufs store type: # # "aufs" uses same storage format "ufs", utilizing # posix-threads avoid blocking main squid process on # disk-i/o. formerly known in squid async-io. # # cache_dir aufs directory-name mbytes l1 l2 [options] # # see argument descriptions under ufs above # # the diskd store type: # # "diskd" uses same storage format "ufs", utilizing # separate process avoid blocking main squid process on # disk-i/o. # # cache_dir diskd directory-name mbytes l1 l2 [options] [q1=n] [q2=n] # # see argument descriptions under ufs above # # q1 specifies number of unacknowledged i/o requests when squid # stops opening new files. if many messages in queues, # squid won't open new files. default 64 # # q2 specifies number of unacknowledged messages when squid # starts blocking. if many messages in queues, # squid blocks until receives replies. default 72 # # when q1 < q2 (the default), cache directory optimized # for lower response time @ expense of decrease in hit # ratio. if q1 > q2, cache directory optimized # higher hit ratio @ expense of increase in response # time. # # the coss store type: # # np: coss filesystem in squid-3 has been deemed unstable # production use , has been removed release. # hope can made usable again soon. # # block-size=n defines "block size" coss cache_dir's. # squid uses file numbers block numbers. since file numbers # are limited 24 bits, block size determines maximum # size of coss partition. default 512 bytes, # leads maximum cache_dir size of 512<<24, or 8 gb. note # you should not change coss block size after squid # has written objects cache_dir. # # the coss file store has changed 2.5. uses file # called 'stripe' in directory names in config - , # this created squid -z. # # common options: # # no-store, no new objects should stored cache_dir # # max-size=n, refers max object size in bytes cache_dir # supports. used select cache_dir store object. # note: make optimal use of max-size limits should order # the cache_dir lines smallest max-size value first , # ones no max-size specification last. # # note coss, max-size must less coss_membuf_sz, # which can changed --with-coss-membuf-size=n configure # option. # # uncomment , adjust following add disk cache directory. #cache_dir ufs /var/spool/squid3 100 16 256 # tag: store_dir_select_algorithm # set 'round-robin' alternative. #default: # store_dir_select_algorithm least-load # tag: max_open_disk_fds # to avoid having disk i/o bottleneck squid can optionally # bypass on-disk cache if more amount of disk file # descriptors open. # # a value of 0 indicates no limit. #default: # max_open_disk_fds 0 # tag: minimum_object_size (bytes) # objects smaller size not saved on disk. # value specified in kilobytes, , default 0 kb, # means there no minimum. #default: # minimum_object_size 0 kb # tag: maximum_object_size (bytes) # objects larger size not saved on disk. # value specified in kilobytes, , default 4mb. if # you wish high bytes hit ratio, should # increase (one 32 mb object hit counts 3200 10kb # hits). if wish increase speed more want # save bandwidth should leave low. # # note: if using lfuda replacement policy should increase # this value maximize byte hit rate improvement of lfuda! # see replacement_policy below discussion of policy. #default: # maximum_object_size 4096 kb # tag: cache_swap_low (percent, 0-100) #default: # cache_swap_low 90 # tag: cache_swap_high (percent, 0-100) # # the low- , high-water marks cache object replacement. # replacement begins when swap (disk) usage above # low-water mark , attempts maintain utilization near # low-water mark. swap utilization gets close high-water # mark object eviction becomes more aggressive. if utilization # close low-water mark less replacement done each time. # # defaults 90% , 95%. if have large cache, 5% # hundreds of mb. if case may wish set these # numbers closer together. #default: # cache_swap_high 95 # logfile options # ----------------------------------------------------------------------------- # tag: logformat # usage: # # logformat <name> <format specification> # # defines access log format. # # the <format specification> string embedded % format codes # # % format codes follow same basic structure # the formatcode optional. output strings automatically escaped # as required according context , output format # modifiers not needed, can specified if explicit # output format desired. # # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode # # " output in quoted string format # [ output in squid text log format used log_mime_hdrs # # output in url quoted format # ' output as-is # # - left aligned # width field width. if starting 0 # output 0 padded # {arg} argument such header name etc # # format codes: # # % a literal % character # >a client source ip address # >a client fqdn # >p client source port # <a server ip address or peer name # la local ip address (http_port) # lp local port number (http_port) # <la local ip address of last server or peer connection # <lp local port number of last server or peer connection # ts seconds since epoch # tu subsecond time (milliseconds) # tl local time. optional strftime format argument # default %d/%b/%y:%h:%m:%s %z # tg gmt time. optional strftime format argument # default %d/%b/%y:%h:%m:%s %z # tr response time (milliseconds) # dt total time spent making dns lookups (milliseconds) # # http cache related format codes: # # [http::]>h original request header. optional header name argument # on format header[:[separator]element] # [http::]>ha the http request headers after adaptation , redirection. # optional header name argument >h # [http::]<h reply header. optional header name argument # as >h # [http::]un user name # [http::]ul user name authentication # [http::]ui user name ident # [http::]us user name ssl # [http::]ue user name external acl helper # [http::]>hs http status code sent client # [http::]<hs http status code received next hop # [http::]ss squid request status (tcp_miss etc) # [http::]sh squid hierarchy status (default_parent etc) # [http::]mt mime content type # [http::]rm request method (get/post etc) # [http::]ru request url # [http::]rp request url-path excluding hostname # [http::]rv request protocol version # [http::]et tag returned external acl # [http::]ea log string returned external acl # [http::]<st sent reply size including http headers # [http::]>st received request size including http headers. in # case of chunked requests chunked encoding metadata # are not included # [http::]>sh received http request headers size # [http::]<sh sent http reply headers size # [http::]st request+reply size including http headers # [http::]<sh reply high offset sent # [http::]<ss upstream object size # [http::]<pt peer response time in milliseconds. timer starts # when last request byte sent next hop # and stops when last response byte received. # [http::]<tt total server-side time in milliseconds. timer # starts first connect request (or write i/o) # sent first selected peer. timer stops # with last i/o last peer. # # if icap enabled, following 2 codes become available (as # well icap log codes documented icap_log option): # # icap::tt total icap processing time http # transaction. timer ticks when icap # acls checked , when icap # transaction in progress. # # icap::<last_h the header of last icap response # related http transaction. # <h, accepts optional header name # argument. not change semantics # when multiple icap transactions per http # transaction supported. # # if adaptation enabled following 2 codes become available: # # adapt::sum_trs summed adaptation transaction response # times recorded comma-separated list in # the order of transaction start time. each time # value recorded integer number, # representing response time of 1 or more # adaptation (icap or ecap) transaction in # milliseconds. when failed transaction # being retried or repeated, time not # logged individually added # replacement (next) transaction. see also: # adapt::all_trs. # # adapt::all_trs adaptation transaction response times. # same adaptation_strs response times of # individual transactions never added # together. instead, transaction response # times recorded individually. # # you can prefix adapt::*_trs format codes adaptation # service name in curly braces record response time(s) specific # to service. example: %{my_*********adapt::sum_trs # # the default formats available (which not need re-defining) are: # #logformat squid %ts.%03tu %6tr %>a %ss/%03>hs %<st %rm %ru %un %sh/%<a %mt #logformat squidmime %ts.%03tu %6tr %>a %ss/%03>hs %<st %rm %ru %un %sh/%<a %mt [%>h] [%<h] #logformat common %>a %ui %un [%tl] "%rm %ru http/%rv" %>hs %<st %ss:%sh #logformat combined %>a %ui %un [%tl] "%rm %ru http/%rv" %>hs %<st "%{referer}>h" "%{user-agent}>h" %ss:%sh #default: # none # tag: access_log # these files log client request activities. has line every http or # icp request. format is: # access_log <filepath> [<logformat name> [acl acl ...]] # access_log none [acl acl ...]] # # will log specified file using specified format (which # must defined in logformat directive) entries match # all acl's specified (which must defined in acl clauses). # # if no acl specified, requests logged file. # # to disable logging of request use filepath "none", in case # a logformat name should not specified. # # to log request via syslog specify filepath of "syslog": # # access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] # where facility of: # authpriv, daemon, local0 .. local7 or user. # # and priority of: # err, warning, notice, info, debug. # # default: # access_log /var/log/squid3/access.log squid #default: # access_log /var/log/squid3/access.log squid # tag: icap_log # icap log files record icap transaction summaries, 1 line per # transaction. # # the icap_log option format is: # icap_log <filepath> [<logformat name> [acl acl ...]] # icap_log none [acl acl ...]] # # please see access_log option documentation details. 2 # kinds of logs share overall configuration approach , many # features. # # icap processing of single http message or transaction may # require multiple icap transactions. in such cases, multiple # icap transaction log lines correspond single access # log line. # # icap log uses logformat codes make sense icap # transaction. header-related codes applied http header # embedded in icap server response, following caveats: # for reqmod, there no http response header unless icap # server performed request satisfaction. respmod, http # request header header sent icap server. # options, there no http headers. # # the following format codes available icap logs: # # icap::<a icap server ip address. similar <a. # # icap::<service_name icap service name icap_service # option in squid configuration file. # # icap::ru icap request-uri. similar ru. # # icap::rm icap request method (reqmod, respmod, or # options). similar existing rm. # # icap::>st bytes sent icap server (tcp payload # only; i.e., squid writes socket). # # icap::<st bytes received icap server (tcp # payload only; i.e., squid reads # the socket). # # icap::tr transaction response time (in # milliseconds). timer starts when # the icap transaction created , # stops when transaction completed. # similar tr. # # icap::tio transaction i/o time (in milliseconds). # timer starts when first icap request # byte scheduled sending. timers # stops when last byte of icap response # is received. # # icap::to transaction outcome: icap_err* # transaction errors, icap_opt option # transactions, icap_echo 204 # responses, icap_mod message # modification, , icap_sat request # satisfaction. similar ss. # # icap::hs icap response status code. similar hs. # # icap::>h icap request header(s). similar >h. # # icap::<h icap response header(s). similar <h. # # the default icap log format, can used without explicit # definition, called icap_squid: # #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<a - # # see also: logformat, log_icap, , %icap::<last_h #default: # none # tag: log_access allow|deny acl acl... # this options allows control requests gets logged # to access.log (see access_log directive). requests denied # logging not accounted in performance counters. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # tag: log_icap # this options allows control requests logged # to icap.log. see icap_log directive icap log details. #default: # none # tag: cache_store_log # logs activities of storage manager. shows # objects ejected cache, , objects # saved , how long. disable, enter "none" or remove line. # there not utilities analyze data, can safely # disable it. # # example: # cache_store_log /var/log/squid3/store.log #default: # none # tag: cache_swap_state # location cache "swap.state" file. index file holds # the metadata of objects saved on disk. used rebuild # the cache during startup. file resides in each # 'cache_dir' directory, may specify alternate # pathname here. note must give full filename, not # a directory. since index whole object # list cannot periodically rotate it! # # if %s can used in file name replaced # a representation of cache_dir name each / replaced # with '.'. needed allow adding/removing cache_dir # lines when cache_swap_log being used. # # if have more 1 'cache_dir', , %s not used in name # these swap logs have names such as: # # cache_swap_log.00 # cache_swap_log.01 # cache_swap_log.02 # # the numbered extension (which added automatically) # corresponds order of 'cache_dir' lines in # configuration file. if change order of 'cache_dir' # lines in file, these index files not correspond # the correct 'cache_dir' entry (unless manually rename # them). recommend not use option. # better keep these index files in each 'cache_dir' directory. #default: # none # tag: logfile_rotate # specifies number of logfile rotations make when # type 'squid -k rotate'. default 10, rotate # with extensions 0 through 9. setting logfile_rotate 0 # disable file name rotation, logfiles still closed # and re-opened. enable rename logfiles # yourself before sending rotate signal. # # note, 'squid -k rotate' command sends usr1 # signal running squid process. in situations # (e.g. on linux async i/o), usr1 used other # purposes, -k rotate uses signal. best # in habit of using 'squid -k rotate' instead of 'kill -usr1 # <pid>'. # # note, squid-3.1 option has no effect on cache.log, # that log can rotated separately using debug_options # # note2, debian/linux default of logfile_rotate # zero, since includes external logfile-rotation methods. #default: # logfile_rotate 0 # tag: emulate_httpd_log on|off # the cache can emulate log file format many 'httpd' # programs use. disable/enable emulation, set # emulate_httpd_log 'off' or 'on'. default # is use native log format since includes useful # information squid-specific log analyzers use. #default: # emulate_httpd_log off # tag: log_ip_on_direct on|off # log destination ip address in hierarchy log tag when going # direct. earlier squid versions logged hostname here. if # prefer old way set off. #default: # log_ip_on_direct on # tag: mime_table # pathname squid's mime table. shouldn't need change # this, default file contains examples , formatting # information if do. #default: # mime_table /usr/share/squid3/mime.conf # tag: log_mime_hdrs on|off # the cache can record both request , response mime # headers each http transaction. headers encoded # safely , appear 2 bracketed fields @ end of # the access log (for either native or httpd-emulated log # formats). enable logging set log_mime_hdrs 'on'. #default: # log_mime_hdrs off # tag: useragent_log # note: option available if squid rebuilt # --enable-useragent-log option # # squid write user-agent field http requests # to filename specified here. default useragent_log # is disabled. #default: # none # tag: referer_log # note: option available if squid rebuilt # --enable-referer-log option # # squid write referer field http requests # filename specified here. default referer_log disabled. # note "referer" misspelling of "referrer" # however misspelt version has been accepted http rfcs # and accept both. #default: # none # tag: pid_filename # a filename write process-id to. disable, enter "none". #default: # pid_filename /var/run/squid3.pid # tag: log_fqdn on|off # turn on if wish log qualified domain names # in access.log. squid dns lookup of # ip's connecting it. can (in situations) increase # latency, makes cache seem slower interactive # browsing. #default: # log_fqdn off # tag: client_netmask # a netmask client addresses in logfiles , cachemgr output. # change protect privacy of cache clients. # a netmask of 255.255.255.0 log ip's in range # the last digit set '0'. #default: # client_netmask no_addr # tag: forward_log # note: option available if squid rebuilt # -dwip_fwd_log define # # logs server-side requests. # # this work in progress. #default: # none # tag: strip_query_terms # by default, squid strips query terms requested urls before # logging. protects user's privacy. #default: # strip_query_terms on # tag: buffered_logs on|off # cache.log log file written stdio functions, , such # it can buffered or unbuffered. default unbuffered. # buffering can speed writing (though # unlikely need worry unless run tons of debugging # enabled in case performance suffer badly anyway..). #default: # buffered_logs off # tag: netdb_filename # note: option available if squid rebuilt # --enable-icmp option # # a filename squid stores it's netdb state between restarts. # to disable, enter "none". #default: # netdb_filename /var/log/squid3/netdb.state # options troubleshooting # ----------------------------------------------------------------------------- # tag: cache_log # cache logging file. general information # your cache's behavior goes. can increase amount of data # logged file , how rotated "debug_options" #default: # cache_log /var/log/squid3/cache.log # tag: debug_options # logging options set section,level each source file # is assigned unique section. lower levels result in less # output, full debugging (level 9) can result in large # log file, careful. # # the magic word "all" sets debugging levels sections. # we recommend running "all,1". # # the rotate=n option can used keep more or less of these logs # than otherwise kept logfile_rotate. # for uses single log should enough monitor current # events affecting squid. #default: # debug_options all,1 # tag: coredump_dir # by default squid leaves core files in directory # it started. if set 'coredump_dir' directory # that exists, squid chdir() directory @ startup # and coredump files left there. # #default: # coredump_dir none # # leave coredumps in first cache dir coredump_dir /var/spool/squid3 # options ftp gatewaying # ----------------------------------------------------------------------------- # tag: ftp_user # if want anonymous login password more informative # (and enable use of picky ftp servers), set # reasonable domain, wwwuser@somewhere.net # # the reason why domainless default # request can made on behalf of user in domain, # depending on how cache used. # some ftp server validate email address valid # (for example perl.com). #default: # ftp_user squid@ # tag: ftp_list_width # sets width of ftp listings. should set fit in # the width of standard browser. setting small # can cut off long filenames when browsing ftp sites. #default: # ftp_list_width 32 # tag: ftp_passive # if firewall not allow squid use passive # connections, turn off option. # # use of ftp_epsv_all option requires on. #default: # ftp_passive on # tag: ftp_epsv_all # ftp protocol extensions permit use of special "epsv all" command. # # nats may able put connection on "fast path" through # translator, eprt command never used , therefore, # translation of data portion of segments never needed. # # when client expects two-way ftp transfers may # useful. # if squid finds must three-way ftp transfer after issuing # an epsv command, ftp session fail. # # if have doubts option not use it. # squid nicely attempt other connection methods. # # requires ftp_passive on (default) effect. #default: # ftp_epsv_all off # tag: ftp_epsv # ftp protocol extensions permit use of special "epsv" command. # # nats may able put connection on "fast path" through # translator using epsv, eprt command never used # and therefore, translation of data portion of segments # will never needed. # # turning off prevent epsv being attempted. # warning: doing convert squid old behavior # the related problems external nat devices/layers. # # requires ftp_passive on (default) effect. #default: # ftp_epsv on # tag: ftp_eprt # ftp protocol extensions permit use of special "eprt" command. # # this extension provides protocol neutral alternative # ipv4-only port command. when supported enables active ftp data # channels on ipv6 , efficient nat handling. # # turning off prevent eprt being attempted , skip # straight using port ipv4 servers. # # some devices known not handle extension correctly , # may result in crashes. devices suport eprt enough fail # cleanly result in squid attempting port anyway. directive # should disabled when eprt results in device failures. # # warning: doing convert squid old behavior # the related problems external nat devices/layers , ipv4-only ftp. #default: # ftp_eprt on # tag: ftp_sanitycheck # for security , data integrity reasons squid default performs # sanity checks of addresses of ftp data connections ensure # data connection requested server. if need allow # ftp connections servers using ip address data # connection turn off. #default: # ftp_sanitycheck on # tag: ftp_telnet_protocol # the ftp protocol officially defined use telnet protocol # as transport channel control connection. however, many # implementations broken , not respect aspect of # the ftp protocol. # # if have trouble accessing files ascii code 255 in # path or similar problems involving ascii code can # try setting directive off. if helps, report # operator of ftp server in question ftp server # is broken , not follow ftp standard. #default: # ftp_telnet_protocol on # options external support programs # ----------------------------------------------------------------------------- # tag: diskd_program # specify location of diskd executable. # note useful if have compiled in # diskd 1 of store io modules. #default: # diskd_program /usr/lib/squid3/diskd # tag: unlinkd_program # specify location of executable file deletion process. #default: # unlinkd_program /usr/lib/squid3/unlinkd # tag: pinger_program # note: option available if squid rebuilt # --enable-icmp option # # specify location of executable pinger process. #default: # pinger_program /usr/lib/squid3/pinger # tag: pinger_enable # note: option available if squid rebuilt # --enable-icmp option # # control whether pinger active @ run-time. # enables turning icmp pinger on , off simple # squid -k reconfigure. #default: # pinger_enable off # options url rewriting # ----------------------------------------------------------------------------- # tag: url_rewrite_program # specify location of executable url rewriter use. #jonathan work squidguard hook in #url_rewrite_program /usr/local/squidguard -c /usr/local/squidguard/squidguard.conf # since can perform function there isn't 1 included. # # for each requested url, rewriter receive on line format # # url <sp> client_ip "/" fqdn <sp> user <sp> method [<sp> kvpairs]<nl> # # in future, rewriter interface extended # key=value pairs ("kvpairs" shown above). rewriter programs # should prepared receive , possibly ignore additional # whitespace-separated tokens on each input line. # # and rewriter may return rewritten url. other components of # the request line not need returned (ignored if are). # # the rewriter can indicate client-side redirect should # be performed new url. done prefixing returned # url "301:" (moved permanently) or 302: (moved temporarily), etc. # # by default, url rewriter not used. #default: # none # tag: url_rewrite_children # the number of redirector processes spawn. if start # too few squid have wait them process backlog of # urls, slowing down. if start many use ram # and other system resources. #default: # url_rewrite_children 5 # tag: url_rewrite_concurrency # the number of requests each redirector helper can handle in # parallel. defaults 0 indicates redirector # is old-style single threaded redirector. # # when directive set value >= 1 protocol # used communicate helper modified include # a request id in front of request/response. request # id request must echoed response # to request. #default: # url_rewrite_concurrency 0 # tag: url_rewrite_host_header # by default squid rewrites host: header in redirected # requests. if running accelerator may # not wanted effect of redirector. # # warning: entries cached on result of url rewriting # process, careful if have domain-virtual hosts. #default: # url_rewrite_host_header on # tag: url_rewrite_access # if defined, access list specifies requests # sent redirector processes. default requests # are sent. # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # tag: url_rewrite_bypass # when 'on', request not go through # redirector if redirectors busy. if 'off' # and redirector queue grows large, squid exit # with fatal error , ask increase number of # redirectors. should enable if redirectors # are not critical caching system. if use # redirectors access control, , enable option, # users may have access pages should not # be allowed request. #default: # url_rewrite_bypass off # options tuning cache # ----------------------------------------------------------------------------- # tag: cache # a list of acl elements which, if matched , denied, cause request # not satisfied cache , reply not cached. # in other words, use force objects never cached. # # you must use words 'allow' or 'deny' indicate whether items # matching acl should allowed or denied cache. # # default allow cached. # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # tag: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] # # by default, regular expressions case-sensitive. make # them case-insensitive, use -i option. # # 'min' time (in minutes) object without explicit # expiry time should considered fresh. recommended # value 0, higher values may cause dynamic applications # to erroneously cached unless application designer # has taken appropriate actions. # # 'percent' percentage of objects age (time since last # modification age) object without explicit expiry time # will considered fresh. # # 'max' upper limit on how long objects without explicit # expiry time considered fresh. # # options: override-expire # override-lastmod # reload-into-ims # ignore-reload # ignore-no-cache # ignore-no-store # ignore-must-revalidate # ignore-private # ignore-auth # refresh-ims # # override-expire enforces min age if server # sent explicit expiry time (e.g., # expires: header or cache-control: max-age). doing # violates http standard. enabling feature # could make liable problems causes. # # note: override-expire not enforce staleness - extends # freshness / min. if server returns expires time # is longer max time, squid still consider # the object fresh period of time. # # override-lastmod enforces min age on objects # that modified recently. # # reload-into-ims changes client no-cache or ``reload'' # to if-modified-since requests. doing violates # http standard. enabling feature make # liable problems causes. # # ignore-reload ignores client no-cache or ``reload'' # header. doing violates http standard. enabling # this feature make liable problems # it causes. # # ignore-no-cache ignores ``pragma: no-cache'' , # ``cache-control: no-cache'' headers received server. # the http rfc never allows use of (pragma) header # from server, client, though plenty of servers # send anyway. # # ignore-no-store ignores ``cache-control: no-store'' # headers received server. doing violates # the http standard. enabling feature make # liable problems causes. # # ignore-must-revalidate ignores ``cache-control: must-revalidate`` # headers received server. doing violates # the http standard. enabling feature make # liable problems causes. # # ignore-private ignores ``cache-control: private'' # headers received server. doing violates # the http standard. enabling feature make # liable problems causes. # # ignore-auth caches responses requests authorization, # as if originserver had sent ``cache-control: public'' # in response header. doing violates http standard. # enabling feature make liable problems # it causes. # # refresh-ims causes squid contact origin server # when client issues if-modified-since request. # ensures client receive updated version # if 1 available. # # basically cached object is: # # fresh if expires < now, else stale # stale if age > max # fresh if lm-factor < percent, else stale # fresh if age < min # else stale # # the refresh_pattern lines checked in order listed here. # the first entry matches used. if none of entries # match default used. # # note, must uncomment default lines if want # to change one. default setting active if none # used. # # # add of own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (release|packages(.gz)*)$ 0 20% 2880 # example lin deb packages #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 refresh_pattern . 0 20% 4320 # tag: quick_abort_min (kb) #default: # quick_abort_min 16 kb # tag: quick_abort_max (kb) #default: # quick_abort_max 16 kb # tag: quick_abort_pct (percent) # the cache default continues downloading aborted requests # which completed (less 16 kb remaining). # may undesirable on slow (e.g. slip) links and/or busy # caches. impatient users may tie file descriptors , # bandwidth repeatedly requesting , aborting # downloads. # # when user aborts request, squid check # quick_abort values amount of data transfered until # then. # # if transfer has less 'quick_abort_min' kb remaining, # it finish retrieval. # # if transfer has more 'quick_abort_max' kb remaining, # it abort retrieval. # # if more 'quick_abort_pct' of transfer has completed, # it finish retrieval. # # if not want retrieval continue after client # has aborted, set both 'quick_abort_min' , 'quick_abort_max' # to '0 kb'. # # if want retrievals continue if being # cached set 'quick_abort_min' '-1 kb'. #default: # quick_abort_pct 95 # tag: read_ahead_gap buffer-size # the amount of data cache buffer ahead of has been # sent client when retrieving object server. #default: # read_ahead_gap 16 kb # tag: negative_ttl time-units # set default time-to-live (ttl) failed requests. # certain types of failures (such "connection refused" , # "404 not found") able negatively-cached short time. # modern web servers should provide expires: header, if # do not can provide minimum ttl. # the default not cache errors unknown expiry details. # # note different negative caching of dns lookups. # # warning: doing violates http standard. enabling # this feature make liable problems # causes. #default: # negative_ttl 0 seconds # tag: positive_dns_ttl time-units # upper limit on how long squid cache positive dns responses. # default 6 hours (360 minutes). directive must set # larger negative_dns_ttl. #default: # positive_dns_ttl 6 hours # tag: negative_dns_ttl time-units # time-to-live (ttl) negative caching of failed dns lookups. # this sets lower cache limit on positive lookups. # minimum value 1 second, , not recommendable go # much below 10 seconds. #default: # negative_dns_ttl 1 minutes # tag: range_offset_limit (bytes) # sets upper limit on how far the file range request # may cause squid prefetch whole file. if beyond # limit squid forwards range request , result # is not cached. # # this stop far ahead range request (lets start @ 17mb) # from making squid fetch whole object point before # sending client. # # a value of 0 causes squid never fetch more # client requested. (default) # # a value of -1 causes squid fetch object # beginning may cache result. (2.0 style) # # np: using -1 here override quick_abort settings may # otherwise apply range request. range request # fetched start finish regardless of client # actions. affects bandwidth usage. #default: # range_offset_limit 0 kb # tag: minimum_expiry_time (seconds) # the minimum caching time according (expires - date) # headers squid honors if object can't revalidated # defaults 60 seconds. in reverse proxy environments # might desirable honor shorter object lifetimes. # is better make server return # meaningful last-modified header however. in esi environments # where page fragments have short lifetimes, # often best set 0. #default: # minimum_expiry_time 60 seconds # tag: store_avg_object_size (kbytes) # average object size, used estimate number of objects # cache can hold. default 13 kb. #default: # store_avg_object_size 13 kb # tag: store_objects_per_bucket # target number of objects per bucket in store hash table. # lowering value increases total number of buckets , # also storage maintenance rate. default 20. #default: # store_objects_per_bucket 20 # http options # ----------------------------------------------------------------------------- # tag: request_header_max_size (kb) # this specifies maximum size http headers in request. # request headers relatively small (about 512 bytes). # placing limit on request header size catch # bugs (for example persistent connections) , possibly # buffer-overflow or denial-of-service attacks. #default: # request_header_max_size 64 kb # tag: reply_header_max_size (kb) # this specifies maximum size http headers in reply. # reply headers relatively small (about 512 bytes). # placing limit on reply header size catch # bugs (for example persistent connections) , possibly # buffer-overflow or denial-of-service attacks. #default: # reply_header_max_size 64 kb # tag: request_body_max_size (bytes) # this specifies maximum size http request body. # in other words, maximum size of put/post request. # a user attempts send request body larger # than limit receives "invalid request" error message. # if set parameter 0 (the default), there # be no limit imposed. #default: # request_body_max_size 0 kb # tag: client_request_buffer_max_size (bytes) # this specifies maximum buffer size of client request. # it prevents squid eating memory when uploads # a large file. #default: # client_request_buffer_max_size 512 kb # tag: chunked_request_body_max_size (bytes) # a broken or confused http/1.1 client may send chunked http # request squid. squid not have full support # feature yet. cope such requests, squid buffers # entire request , dechunks request body create # plain http/1.0 request known content length. plain # request used rest of squid code usual. # # the option value specifies maximum size of buffer used # to hold request before conversion. if chunked # request size exceeds specified limit, conversion # fails, , client receives "unsupported request" error, # as if dechunking disabled. # # dechunking enabled default. disable conversion of # chunked requests, set maximum zero. # # request dechunking feature , option in particular # temporary hack. when chunking requests , responses # supported, there no need buffer chunked request. #default: # chunked_request_body_max_size 64 kb # tag: broken_posts # a list of acl elements which, if matched, causes squid send # an crlf pair after body of put/post request. # # some http servers has broken implementations of put/post, # and rely on crlf pair sent www clients. # # quote rfc2616 section 4.1 on matter: # # note: buggy http/1.0 client implementations generate # crlf's after post request. restate explicitly # forbidden bnf, http/1.1 client must not preface or follow # request crlf. # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. # #example: # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server #default: # none # tag: icap_uses_indirect_client on|off # controls whether indirect client ip address (instead of direct # client ip address) passed adaptation services. # # see also: follow_x_forwarded_for adaptation_send_client_ip #default: # icap_uses_indirect_client on # tag: via on|off # if set (default), squid include via header in requests , # replies required rfc2616. #default: # via on # tag: ie_refresh on|off # microsoft internet explorer until version 5.5 service # pack 1 has issue transparent proxies, wherein # is impossible force refresh. turning on provides # a partial fix problem, causing ims-refresh # requests older ie versions check origin server # for fresh content. reduces hit ratio amount # (~10% in experience), allows users # fresh content when want it. note because squid # cannot tell if user using 5.5 or 5.5sp1, behavior # of 5.5 unchanged old versions of squid (i.e. # forced refresh impossible). newer versions of ie will, # hopefully, continue have new behavior , # handled based on assumption. option defaults # the old squid behavior, better hit ratios # worse clients using ie, if need able # force fresh content. #default: # ie_refresh off # tag: vary_ignore_expire on|off # many http servers supporting vary gives such objects # immediate expiry time no cache-control header # when requested http/1.0 client. option # enables squid ignore such expiry times until # http/1.1 implemented. # # warning: if turned on may cause # varying objects not intended caching cached. #default: # vary_ignore_expire off # tag: request_entities # squid defaults deny , head requests request entities, # as meaning of such requests undefined in http standard # even if not explicitly forbidden. # # set directive on if have clients insists # on sending request entities in or head requests. warned # that there server software (both proxies , web servers) # can fail process kind of request may make # vulnerable cache pollution attacks if enabled. #default: # request_entities off # tag: request_header_access # usage: request_header_access header_name allow|deny [!]aclname ... # # warning: doing violates http standard. enabling # this feature make liable problems # causes. # # this option replaces old 'anonymize_headers' , # older 'http_anonymizer' option # more configurable. new method creates list of acls # for each header, allowing fine-tuned header # mangling. # # this option applies request headers, i.e., # client server. # # you can specify known headers header name. # other headers reclassified 'other'. can # refer headers 'all'. # # for example, achieve same behavior old # 'http_anonymizer standard' option, should use: # # request_header_access deny # request_header_access referer deny # request_header_access server deny # request_header_access user-agent deny # request_header_access www-authenticate deny # request_header_access link deny # # or, reproduce old 'http_anonymizer paranoid' feature # you should use: # # request_header_access allow allow # request_header_access authorization allow # request_header_access www-authenticate allow # request_header_access proxy-authorization allow # request_header_access proxy-authenticate allow # request_header_access cache-control allow # request_header_access content-encoding allow # request_header_access content-length allow # request_header_access content-type allow # request_header_access date allow # request_header_access expires allow # request_header_access host allow # request_header_access if-modified-since allow # request_header_access last-modified allow # request_header_access location allow # request_header_access pragma allow # request_header_access accept allow # request_header_access accept-charset allow # request_header_access accept-encoding allow # request_header_access accept-language allow # request_header_access content-language allow # request_header_access mime-version allow # request_header_access retry-after allow # request_header_access title allow # request_header_access connection allow # request_header_access deny # # although many of http reply headers, , should # controlled reply_header_access directive. # # by default, headers allowed (no anonymizing # performed). #default: # none # tag: reply_header_access # usage: reply_header_access header_name allow|deny [!]aclname ... # # warning: doing violates http standard. enabling # this feature make liable problems # causes. # # this option applies reply headers, i.e., # server client. # # this same request_header_access, in other # direction. # # this option replaces old 'anonymize_headers' , # older 'http_anonymizer' option # more configurable. new method creates list of acls # for each header, allowing fine-tuned header # mangling. # # you can specify known headers header name. # other headers reclassified 'other'. can # refer headers 'all'. # # for example, achieve same behavior old # 'http_anonymizer standard' option, should use: # # reply_header_access deny # reply_header_access referer deny # reply_header_access server deny # reply_header_access user-agent deny # reply_header_access www-authenticate deny # reply_header_access link deny # # or, reproduce old 'http_anonymizer paranoid' feature # you should use: # # reply_header_access allow allow # reply_header_access authorization allow # reply_header_access www-authenticate allow # reply_header_access proxy-authorization allow # reply_header_access proxy-authenticate allow # reply_header_access cache-control allow # reply_header_access content-encoding allow # reply_header_access content-length allow # reply_header_access content-type allow # reply_header_access date allow # reply_header_access expires allow # reply_header_access host allow # reply_header_access if-modified-since allow # reply_header_access last-modified allow # reply_header_access location allow # reply_header_access pragma allow # reply_header_access accept allow # reply_header_access accept-charset allow # reply_header_access accept-encoding allow # reply_header_access accept-language allow # reply_header_access content-language allow # reply_header_access mime-version allow # reply_header_access retry-after allow # reply_header_access title allow # reply_header_access connection allow # reply_header_access deny # # although http request headers won't usefully controlled # by directive -- see request_header_access details. # # by default, headers allowed (no anonymizing # performed). #default: # none # tag: request_header_replace # usage: request_header_replace header_name message # example: request_header_replace user-agent nutscrape/1.0 (cp/m; 8-bit) # # this option allows change contents of headers # denied request_header_access above, replacing them # with fixed string. replaces old fake_user_agent # option. # # this applies request headers, not reply headers. # # by default, headers removed if denied. #default: # none # tag: reply_header_replace # usage: reply_header_replace header_name message # example: reply_header_replace server foo/1.0 # # option allows change contents of headers # denied reply_header_access above, replacing them # fixed string. # # applies reply headers, not request headers. # # default, headers removed if denied. #default: # none # tag: relaxed_header_parser on|off|warn # in default "on" setting squid accepts forms # of non-compliant http messages unambiguous # what sending application intended if message # is not correctly formatted. messages normalized # to correct form when forwarded squid. # # if set "warn" warning emitted in cache.log # each time such http error encountered. # # if set "off" such http errors cause request # or response rejected. #default: # relaxed_header_parser on # tag: ignore_expect_100 on|off # this option makes squid ignore expect: 100-continue header present # in request. rfc 2616 requires squid being unable satisfy # the response expectation must return 417 error. # # note: enabling http protocol violation, clients may # not handle well.. #default: # ignore_expect_100 off # timeouts # ----------------------------------------------------------------------------- # tag: forward_timeout time-units # this parameter specifies how long squid should @ attempt in # finding forwarding path request before giving up. #default: # forward_timeout 4 minutes # tag: connect_timeout time-units # this parameter specifies how long wait tcp connect # the requested server or peer complete before squid should # attempt find path forward request. #default: # connect_timeout 1 minute # tag: peer_connect_timeout time-units # this parameter specifies how long wait pending tcp # connection peer cache. default 30 seconds. # may set different timeout values individual neighbors # with 'connect-timeout' option on 'cache_peer' line. #default: # peer_connect_timeout 30 seconds # tag: read_timeout time-units # the read_timeout applied on server-side connections. after # each successful read(), timeout extended # amount. if no data read again after amount of time, # the request aborted , logged err_read_timeout. # default 15 minutes. #default: # read_timeout 15 minutes # tag: request_timeout # how long wait http request after initial # connection establishment. #default: # request_timeout 5 minutes # tag: persistent_request_timeout # how long wait next http request on persistent # connection after previous request completes. #default: # persistent_request_timeout 2 minutes # tag: client_lifetime time-units # the maximum amount of time client (browser) allowed # remain connected cache process. protects cache # from having lot of sockets (and hence file descriptors) tied # in close_wait state remote clients go away without # properly shutting down (either because of network failure or # because of poor client implementation). default 1 # day, 1440 minutes. # # note: default value intended larger # client ever need connected cache. # should change client_lifetime last resort. # if seem have many client connections tying # filedescriptors, recommend first tuning read_timeout, # request_timeout, persistent_request_timeout , quick_abort values. #default: # client_lifetime 1 day # tag: half_closed_clients # some clients may shutdown sending side of tcp # connections, while leaving receiving sides open. sometimes, # squid can not tell difference between half-closed , # fully-closed tcp connection. # # by default, squid close client connections when # read(2) returns "no more data read." # # change option 'on' , squid keep open connections # until read(2) or write(2) on socket returns error. # this may show benefits reverse proxies. if not # it recommended leave off. #default: # half_closed_clients off # tag: pconn_timeout # timeout idle persistent connections servers , other # proxies. #default: # pconn_timeout 1 minute # tag: ident_timeout # maximum time wait ident lookups complete. # # if high, , enabled ident lookups untrusted # users, might susceptible denial-of-service having # many ident requests going @ once. #default: # ident_timeout 10 seconds # tag: shutdown_lifetime time-units # when sigterm or sighup received, cache put # "shutdown pending" mode until active sockets closed. # this value lifetime set open descriptors # during shutdown mode. active clients after many # seconds receive 'timeout' message. #default: # shutdown_lifetime 30 seconds # administrative parameters # ----------------------------------------------------------------------------- # tag: cache_mgr # email-address of local cache manager receive # mail if cache dies. default "webmaster." #default: # cache_mgr webmaster # tag: mail_from # from: email-address mail sent when cache dies. # the default use 'appname@unique_hostname'. # default appname value "squid", can changed # src/globals.h before building squid. #default: # none # tag: mail_program # email program used send mail if cache dies. # the default "mail". specified program must comply # with standard unix mail syntax: # mail-program recipient < mailfile # # optional command line options can specified. #default: # mail_program mail # tag: cache_effective_user # if start squid root, change effective/real # uid/gid user specified below. default change # to uid of proxy. # see also; cache_effective_group #default: # cache_effective_user proxy # tag: cache_effective_group # squid sets gid effective user's default group id # (taken password file) , supplementary group list # from groups membership. # # if want squid run specific gid regardless of # the group memberships of effective user set # to group (or gid) want squid run as. when set # all other group privileges of effective user ignored # and gid effective. if squid not started # root user starting squid must member of specified # group. # # this option not recommended squid team. # our preference administrators configure secure # user account squid uid/gid matching system policies. #default: # none # tag: httpd_suppress_version_string on|off # suppress squid version string info in http headers , html error pages. #default: # httpd_suppress_version_string off # tag: visible_hostname #jonathan work visible_hostname staproxyserver # if want present special hostname in error messages, etc, # define this. otherwise, return value of gethostname() # will used. if have multiple caches in cluster , # get errors ip-forwarding must set them have individual # names setting. #default: # visible_hostname localhost # tag: unique_hostname # if want have multiple machines same # 'visible_hostname' must give each machine different # 'unique_hostname' forwarding loops can detected. #default: # none # tag: hostname_aliases # a list of other dns names cache has. #default: # none # tag: umask # minimum umask should enforced while proxy # is running, in addition umask set @ startup. # # for traditional octal representation of umasks, start # value 0. #default: # umask 027 # options cache registration service # ----------------------------------------------------------------------------- # # this section contains parameters (optional) cache # announcement service. service provided # cache administrators locate 1 in order join or # create cache hierarchies. # # an 'announcement' message sent (via udp) registration # service squid. default, announcement message not # sent unless enable 'announce_period' below. # # the announcement message includes hostname, plus # following information configuration file: # # http_port # icp_port # cache_mgr # # all current information processed regularly , made # available on web @ http://www.ircache.net/cache/tracker/. # tag: announce_period # this how send cache announcements. # default `0' disables sending announcement # messages. # # to enable announcing cache, set announce period. # # example: # announce_period 1 day #default: # announce_period 0 # tag: announce_host #default: # announce_host tracker.ircache.net # tag: announce_file #default: # none # tag: announce_port # announce_host , announce_port set hostname , port # number registration message sent. # # hostname default 'tracker.ircache.net' , port # default default 3131. if 'filename' argument given, # the contents of file included in announce # message. #default: # announce_port 3131 # httpd-accelerator options # ----------------------------------------------------------------------------- # tag: httpd_accel_surrogate_id # surrogates (http://www.esi.org/architecture_spec_1.0.html) # need identification token allow control targeting. because # a farm of surrogates may perform same tasks, may share # an identification token. #default: # httpd_accel_surrogate_id unset-id # tag: http_accel_surrogate_remote on|off # remote surrogates (such in cdn) honour surrogate-control: no-store-remote. # set on have squid behave remote surrogate. #default: # http_accel_surrogate_remote off # tag: esi_parser libxml2|expat|custom # esi markup not strictly xml compatible. custom esi parser # will give higher performance, cannot handle non ascii character # encodings. #default: # esi_parser custom # delay pool parameters # ----------------------------------------------------------------------------- # tag: delay_pools # this represents number of delay pools used. example, # if have 1 class 2 delay pool , 1 class 3 delays pool, # have total of 2 delay pools. #default: # delay_pools 0 # tag: delay_class # this defines class of each delay pool. there must 1 # delay_class line each delay pool. example, define 2 # delay pools, 1 of class 2 , 1 of class 3, settings above # and here be: # # example: # delay_pools 4 # 4 delay pools # delay_class 1 2 # pool 1 class 2 pool # delay_class 2 3 # pool 2 class 3 pool # delay_class 3 4 # pool 3 class 4 pool # delay_class 4 5 # pool 4 class 5 pool # # the delay pool classes are: # # class 1 everything limited single aggregate # bucket. # # class 2 everything limited single aggregate # bucket "individual" bucket chosen # from bits 25 through 32 of ipv4 address. # # class 3 everything limited single aggregate # bucket "network" bucket chosen # from bits 17 through 24 of ip address , # "individual" bucket chosen bits 17 through # 32 of ipv4 address. # # class 4 everything in class 3 delay pool, # additional limit on per user basis. # only takes effect if username established # in advance - forcing authentication in # http_access rules. # # class 5 requests grouped according tag (see # external_acl's tag= reply). # # # each pool requires delay_parameters directive configure pool size # and speed limits used whenever pool applied request. along # a set of delay_access directives determine when used. # # note: if ip address a.b.c.d # -> bits 25 through 32 "d" # -> bits 17 through 24 "c" # -> bits 17 through 32 "c * 256 + d" # # note-2: due use of bitmasks in class 2,3,4 pools apply # ipv4 traffic. class 1 , 5 pools may used ipv6 traffic. #default: # none # tag: delay_access # this used determine delay pool request falls into. # # delay_access sorted per pool , matching starts pool 1, # then pool 2, ..., , pool n. first delay pool # request allowed selected request. if not allow # the request pool request not delayed (default). # # for example, if want some_big_clients in delay # pool 1 , lotsa_little_clients in delay pool 2: # #example: # delay_access 1 allow some_big_clients # delay_access 1 deny # delay_access 2 allow lotsa_little_clients # delay_access 2 deny # delay_access 3 allow authenticated_clients #default: # none # tag: delay_parameters # this defines parameters delay pool. each delay pool has # a number of "buckets" associated it, explained in # description of delay_class. # # for class 1 delay pool, syntax is: # delay_pools pool 1 # delay_parameters pool aggregate # # for class 2 delay pool: # delay_pools pool 2 # delay_parameters pool aggregate individual # # for class 3 delay pool: # delay_pools pool 3 # delay_parameters pool aggregate network individual # # for class 4 delay pool: # delay_pools pool 4 # delay_parameters pool aggregate network individual user # # for class 5 delay pool: # delay_pools pool 5 # delay_parameters pool tagrate # # the option variables are: # # pool a pool number - ie, number between 1 , # number specified in delay_pools used in # delay_class lines. # # aggregate the speed limit parameters aggregate bucket # (class 1, 2, 3). # # individual the speed limit parameters individual # buckets (class 2, 3). # # network the speed limit parameters network buckets # (class 3). # # user the speed limit parameters user buckets # (class 4). # # tagrate the speed limit parameters tag buckets # (class 5). # # a pair of delay parameters written restore/maximum, restore # the number of bytes (not bits - modem , network speeds # quoted in bits) per second placed bucket, , maximum # maximum number of bytes can in bucket @ time. # # there must 1 delay_parameters line each delay pool. # # # for example, if delay pool number 1 class 2 delay pool in # above example, , being used strictly limit each host 64kbit/sec # (plus overheads), no overall limit, line is: # # delay_parameters 1 -1/-1 8000/8000 # # note 8 x 8000 kbyte/sec -> 64kbit/sec. # # note figure -1 used represent "unlimited". # # # and, if delay pool number 2 class 3 delay pool in above # example, , want limit total of 256kbit/sec (strict limit) # with each 8-bit network permitted 64kbit/sec (strict limit) , each # individual host permitted 4800bit/sec bucket maximum size of 64kbits # to permit decent web page downloaded @ decent speed # (if network not being limited due overuse) slow down # large downloads more significantly: # # delay_parameters 2 32000/32000 8000/8000 600/8000 # # note 8 x 32000 kbyte/sec -> 256kbit/sec. # 8 x 8000 kbyte/sec -> 64kbit/sec. # 8 x 600 byte/sec -> 4800bit/sec. # # # finally, class 4 delay pool in example - each user # be limited 128kbits/sec no matter how many workstations logged into.: # # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 #default: # none # tag: delay_initial_bucket_level (percent, 0-100) # the initial bucket percentage used determine how put # in each bucket when squid starts, reconfigured, or first notices # a host accessing (in class 2 , class 3, individual hosts , # networks have buckets associated them once have been # "seen" squid). #default: # delay_initial_bucket_level 50 # wccpv1 , wccpv2 configuration options # ----------------------------------------------------------------------------- # tag: wccp_router # use option define wccp ``home'' router # squid. # # wccp_router supports single wccp(v1) router # # wccp2_router supports multiple wccpv2 routers # # only 1 of 2 may used @ same time , defines # which version of wccp use. #default: # wccp_router any_addr # tag: wccp2_router # use option define wccp ``home'' router # squid. # # wccp_router supports single wccp(v1) router # # wccp2_router supports multiple wccpv2 routers # # only 1 of 2 may used @ same time , defines # which version of wccp use. #default: # none # tag: wccp_version # this directive relevant if need set wccp(v1) # to old , end-of-life cisco routers. in other # setups must left unset or @ default setting. # it defines internal version in wccp(v1) protocol, # with version 4 being officially documented protocol. # # according users, cisco ios 11.2 , earlier # support wccp version 3. if you're using or earlier # version of ios, may need change value 3, otherwise # do not specify parameter. #default: # wccp_version 4 # tag: wccp2_rebuild_wait # if enabled squid wait cache dir rebuild finish # before sending first wccp2 hereiam packet #default: # wccp2_rebuild_wait on # tag: wccp2_forwarding_method # wccp2 allows setting of forwarding methods between # router/switch , cache. valid values follows: # # gre - gre encapsulation (forward packet in gre/wccp tunnel) # l2 - l2 redirect (forward packet using layer 2/mac rewriting) # # currently (as of ios 12.4) cisco routers support gre. # cisco switches support l2 redirect assignment method. #default: # wccp2_forwarding_method gre # tag: wccp2_return_method # wccp2 allows setting of return methods between # router/switch , cache packets cache # decides not handle. valid values follows: # # gre - gre encapsulation (forward packet in gre/wccp tunnel) # l2 - l2 redirect (forward packet using layer 2/mac rewriting) # # currently (as of ios 12.4) cisco routers support gre. # cisco switches support l2 redirect assignment. # # if "ip wccp redirect exclude in" command has been # enabled on cache interface, still safe # the proxy server use l2 redirect method if # option set gre. #default: # wccp2_return_method gre # tag: wccp2_assignment_method # wccp2 allows setting of methods assign wccp hash # valid values follows: # # hash - hash assignment # mask - mask assignment # # as general rule, cisco routers support hash assignment method # and cisco switches support mask assignment method. #default: # wccp2_assignment_method hash # tag: wccp2_service # wccp2 allows multiple traffic services. there 2 # types: "standard" , "dynamic". standard type defines # one service id - http (id 0). dynamic service ids can # 51 255 inclusive. in order use dynamic service id # one must define type of traffic redirected; done # using wccp2_service_info option. # # the "standard" type not require wccp2_service_info option, # just specifying service id suffice. # # md5 service authentication can enabled adding # "password=<password>" end of service declaration. # # examples: # # wccp2_service standard 0 # 'web-cache' standard service # wccp2_service dynamic 80 # dynamic service type # # fleshed out subsequent options. # wccp2_service standard 0 password=foo #default: # wccp2_service standard 0 # tag: wccp2_service_info # dynamic wccpv2 services require further information define # traffic wish have diverted. # # the format is: # # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>.. # priority=<priority> ports=<port>,<port>.. # # the relevant wccpv2 flags: # + src_ip_hash, dst_ip_hash # + source_port_hash, dst_port_hash # + src_ip_alt_hash, dst_ip_alt_hash # + src_port_alt_hash, dst_port_alt_hash # + ports_source # # the port list can 1 8 entries. # # example: # # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source # priority=240 ports=80 # # note: service id must have been defined previous # 'wccp2_service dynamic <id>' entry. #default: # none # tag: wccp2_weight # each cache server gets assigned set of destination # hash proportional weight. #default: # wccp2_weight 10000 # tag: wccp_address #default: # wccp_address 0.0.0.0 # tag: wccp2_address # use option if require wccp use specific # interface address. # # the default behavior not bind specific address. #default: # wccp2_address 0.0.0.0 # persistent connection handling # ----------------------------------------------------------------------------- # # see "pconn_timeout" in timeouts section # tag: client_persistent_connections #default: # client_persistent_connections on # tag: server_persistent_connections # persistent connection support clients , servers. # default, squid uses persistent connections (when allowed) # with clients , servers. can use these options # disable persistent connections clients and/or servers. #default: # server_persistent_connections on # tag: persistent_connection_after_error # with directive use of persistent connections after # http errors can disabled. useful if have clients # who fail handle errors on persistent connections proper. #default: # persistent_connection_after_error on # tag: detect_broken_pconn # some servers have been found incorrectly signal use # of http/1.0 persistent connections on replies not # compatible, causing significant delays. server problem # has been seen on redirects. # # by enabling directive squid attempts detect such # broken replies , automatically assume reply finished # after 10 seconds timeout. #default: # detect_broken_pconn off # cache digest options # ----------------------------------------------------------------------------- # tag: digest_generation # this controls whether server generate cache digest # of contents. default, cache digest generation # enabled if squid compiled --enable-cache-digests defined. #default: # digest_generation on # tag: digest_bits_per_entry # this number of bits of server's cache digest # will associated digest entry given http # method , url (public key) combination. default 5. #default: # digest_bits_per_entry 5 # tag: digest_rebuild_period (seconds) # this wait time between cache digest rebuilds. #default: # digest_rebuild_period 1 hour # tag: digest_rewrite_period (seconds) # this wait time between cache digest writes # disk. #default: # digest_rewrite_period 1 hour # tag: digest_swapout_chunk_size (bytes) # this number of bytes of cache digest write # disk @ time. defaults 4096 bytes (4kb), squid # default swap page. #default: # digest_swapout_chunk_size 4096 bytes # tag: digest_rebuild_chunk_percentage (percent, 0-100) # this percentage of cache digest scanned @ # time. default set 10% of cache digest. #default: # digest_rebuild_chunk_percentage 10 # snmp options # ----------------------------------------------------------------------------- # tag: snmp_port # the port number squid listens snmp requests. enable # snmp support set suitable port number. port number # 3401 used squid snmp agent. default it's # set "0" (disabled) # # example: # snmp_port 3401 #default: # snmp_port 0 # tag: snmp_access # allowing or denying access snmp port. # # all access agent denied default. # usage: # # snmp_access allow|deny [!]aclname ... # # this clause supports fast acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #example: # snmp_access allow snmppublic localhost # snmp_access deny #default: # snmp_access deny # tag: snmp_incoming_address #default: # snmp_incoming_address any_addr # tag: snmp_outgoing_address # just 'udp_incoming_address', snmp port. # # snmp_incoming_address is used snmp socket receiving # messages snmp agents. # snmp_outgoing_address is used snmp packets returned snmp # agents. # # the default snmp_incoming_address listen on # available network interfaces. # # if snmp_outgoing_address not set use same socket # as snmp_incoming_address. change if want have # snmp replies sent using address squid # listens snmp queries. # # note, snmp_incoming_address , snmp_outgoing_address can not have # the same value since both use port 3401. #default: # snmp_outgoing_address no_addr # icp options # ----------------------------------------------------------------------------- # tag: icp_port # the port number squid sends , receives icp queries # and neighbor caches. standard udp port icp 3130. # default disabled (0). # # example: # icp_port 3130 #default: # icp_port 0 # tag: htcp_port # the port number squid sends , receives htcp queries # and neighbor caches. turn on want set # 4827. default set "0" (disabled). # # example: # htcp_port 4827 #default: # htcp_port 0 # tag: log_icp_queries on|off # if set, icp queries logged access.log. may wish # do disable if icp load high speed things # up or simplify log analysis. #default: # log_icp_queries on # tag: udp_incoming_address # udp_incoming_address is used udp packets received other # caches. # # the default behavior not bind specific address. # # only change if want have udp queries received on # a specific interface/address. # # note: udp_incoming_address used icp, htcp, , dns # modules. altering affect of them in same manner. # # see also; udp_outgoing_address # # note, udp_incoming_address , udp_outgoing_address can not # have same value since both use same port. #default: # udp_incoming_address any_addr # tag: udp_outgoing_address # udp_outgoing_address is used udp packets sent out other # caches. # # the default behavior not bind specific address. # # instead use same socket udp_incoming_address. # only change if want have udp queries sent using # address squid listens udp queries other # caches. # # note: udp_outgoing_address used icp, htcp, , dns # modules. altering affect of them in same manner. # # see also; udp_incoming_address # # note, udp_incoming_address , udp_outgoing_address can not # have same value since both use same port. #default: # udp_outgoing_address no_addr # tag: icp_hit_stale on|off # if want return icp_hit stale cache objects, set # option 'on'. if have sibling relationships caches # in other administrative domains, should 'off'. if # have sibling relationships caches under control, # it okay set 'on'. # if set 'on', siblings should use option "allow-miss" # on cache_peer lines connecting you. #default: # icp_hit_stale off # tag: minimum_direct_hops # if using icmp pinging stuff, direct fetches sites # which no more many hops away. #default: # minimum_direct_hops 4 # tag: minimum_direct_rtt # if using icmp pinging stuff, direct fetches sites # which no more many rtt milliseconds away. #default: # minimum_direct_rtt 400 # tag: netdb_low #default: # netdb_low 900 # tag: netdb_high # the low , high water marks icmp measurement # database. these counts, not percents. defaults # 900 , 1000. when high water mark reached, database # entries deleted until low mark reached. #default: # netdb_high 1000 # tag: netdb_ping_period # the minimum period measuring site. there @ # least delay between successive pings same # network. default 5 minutes. #default: # netdb_ping_period 5 minutes # tag: query_icmp on|off # if want ask peers include icmp data in icp # replies, enable option. # # if peer has configured squid (during compilation) # '--enable-icmp' peer send icmp pings origin server # sites of urls receives. if enable option # icp replies peer include icmp data (if available). # then, when choosing parent cache, squid choose parent # the minimal rtt origin server. when happens, # hierarchy field of access.log # "closest_parent_miss". option off default. #default: # query_icmp off # tag: test_reachability on|off # when 'on', icp miss replies icp_miss_nofetch # instead of icp_miss if target host not in icmp # database, or has 0 rtt. #default: # test_reachability off # tag: icp_query_timeout (msec) # normally squid automatically determine optimal icp # query timeout value based on round-trip-time of recent icp # queries. if want override value determined # squid, set 'icp_query_timeout' non-zero value. # value specified in milliseconds, so, use 2-second # timeout (the old default), write: # # icp_query_timeout 2000 #default: # icp_query_timeout 0 # tag: maximum_icp_query_timeout (msec) # normally icp query timeout determined dynamically. # sometimes can lead large values (say 5 seconds). # use option put upper limit on dynamic timeout # value. not use option use fixed (instead # of dynamic) timeout value. set fixed timeout see # 'icp_query_timeout' directive. #default: # maximum_icp_query_timeout 2000 # tag: minimum_icp_query_timeout (msec) # normally icp query timeout determined dynamically. # sometimes can lead small timeouts, lower # the normal latency variance on link due traffic. # use option put lower limit on dynamic timeout # value. not use option use fixed (instead # of dynamic) timeout value. set fixed timeout see # 'icp_query_timeout' directive. #default: # minimum_icp_query_timeout 5 # tag: background_ping_rate time-units # controls how icp pings sent siblings # have background-ping set. #default: # background_ping_rate 10 seconds # multicast icp options # ----------------------------------------------------------------------------- # tag: mcast_groups # this tag specifies list of multicast groups server # should join receive multicasted icp queries. # # note! careful put here! sure # understand difference between icp _query_ , icp # _reply_. option set if want receive # multicast queries. not set option send multicast # icp (use cache_peer that). icp replies sent via # unicast, option not affect whether or not # receive replies multicast group members. # # you must careful not use multicast address # is in use group of caches. # # if unsure multicast, please read multicast # chapter in squid faq (http://www.squid-cache.org/faq/). # # usage: mcast_groups 239.128.16.128 224.0.1.20 # # by default, squid doesn't listen on multicast groups. #default: # none # tag: mcast_miss_addr # note: option available if squid rebuilt # -dmulticast_miss_stream define # # if enable option, every "cache miss" url # be sent out on specified multicast address. # # do not enable option unless are absolutely # certain understand doing. #default: # mcast_miss_addr no_addr # tag: mcast_miss_ttl # note: option available if squid rebuilt # -dmulticast_miss_stream define # # this time-to-live value packets multicasted # when multicasting off cache miss urls enabled. # default set 'site scope', i.e. 16. #default: # mcast_miss_ttl 16 # tag: mcast_miss_port # note: option available if squid rebuilt # -dmulticast_miss_stream define # # this port number used in conjunction # 'mcast_miss_addr'. #default: # mcast_miss_port 3135 # tag: mcast_miss_encode_key # note: option available if squid rebuilt # -dmulticast_miss_stream define # # the urls sent in multicast miss stream # encrypted. encryption key. #default: # mcast_miss_encode_key xxxxxxxxxxxxxxxx # tag: mcast_icp_query_timeout (msec) # for multicast peers, squid regularly sends out icp "probes" # count how many other peers listening on given multicast # address. value specifies how long squid should wait # count replies. default 2000 msec, or 2 # seconds. #default: # mcast_icp_query_timeout 2000 # internal icon options # ----------------------------------------------------------------------------- # tag: icon_directory # where icons stored. these kept in # /usr/share/squid3/icons #default: # icon_directory /usr/share/squid3/icons # tag: global_internal_static # this directive controls squid should intercept requests # /squid-internal-static/ no matter host url requesting # (default on setting), or if nothing special should done # such urls (off setting). purpose of directive make # icons etc work better in complex cache hierarchies may # not possible corners in cache mesh reach # the server generating directory listing. #default: # global_internal_static on # tag: short_icon_urls # if enabled squid use short urls icons. # if disabled revert old behavior of including # it's own name , port in url. # # if run complex cache hierarchy mix of squid , # other proxies may need disable directive. #default: # short_icon_urls on # error page options # ----------------------------------------------------------------------------- # tag: error_directory # if wish create own versions of default # error files customize them suit company copy # the error/template files directory , point # this tag @ them. # # warning: option disable multi-language support # on error pages if used. # # the squid developers interested in making squid available in # a wide variety of languages. if making translations # language squid not provide please consider # contributing translation project. # http://wiki.squid-cache.org/translations # # the squid developers working on translations happy supply drop-in # translated error files in exchange new language contributions. #default: # none # tag: error_default_language # set default language squid send error pages in # if no existing translation matches clients language # preferences. # # if unset (default) generic english used. # # the squid developers interested in making squid available in # a wide variety of languages. if interested in making # translations language see squid wiki details. # http://wiki.squid-cache.org/translations #default: # none # tag: error_log_languages # log cache.log languages users attempting # auto-negotiate translations. # # successful negotiations not logged. failures # have meaning indicate squid may need upgrade # of error page translations. #default: # error_log_languages on # tag: err_page_stylesheet # css stylesheet pattern display of squid default error pages. # # for information on css see http://www.w3.org/style/css/ #default: # err_page_stylesheet /etc/squid3/errorpage.css # tag: err_html_text # html text include in error messages. make "mailto" # url admin address, or maybe link # organizations web page. # # to include in error messages, must rewrite # the error template files (found in "errors" directory). # wherever want 'err_html_text' line appear, # insert %l tag in error template file. #default: # none # tag: email_err_data on|off # if enabled, information occurred error # included in mailto links of err pages (if %w set) # so email body contains data. # syntax <a href="mailto:%w%w">%w</a> #default: # email_err_data on # tag: deny_info # usage: deny_info err_page_name acl # or deny_info http://... acl # or deny_info tcp_reset acl # # this can used return err_ page requests # do not pass 'http_access' rules. squid remembers last # acl evaluated in http_access, , if 'deny_info' line exists # for acl squid returns corresponding error page. # # the acl typically last acl on http_access deny line # denied access. exceptions rule are: # - when squid needs request authentication credentials. it's # first authentication related acl encountered # - when none of http_access lines matches. it's last # acl processed on last http_access line. # # np: if providing own custom error pages error_directory # may specify them custom file name: # example: deny_info err_custom_access_denied bad_guys # # alternatively can specify error url. browsers # get redirected (302 or 307) specified url. %s in redirection # url replaced requested url. # # alternatively can tell squid reset tcp connection # by specifying tcp_reset. #default: # none # options influencing request forwarding # ----------------------------------------------------------------------------- # tag: nonhierarchical_direct # by default, squid send non-hierarchical requests # (matching hierarchy_stoplist or not cacheable request type) direct # to origin servers. # # if set off, squid prefer send these # requests parents. # # note in configurations, turning off # add latency these request without improvement in global hit # ratio. # # if inside firewall see never_direct instead of # this directive. #default: # nonhierarchical_direct on # tag: prefer_direct # normally squid tries use parents requests. if # reason first try going direct , use parent if # going direct fails set on. # # by combining nonhierarchical_direct off , prefer_direct on # can set squid use parent backup path if going direct # fails. # # note: if want squid use parents requests see # the never_direct directive. prefer_direct modifies how squid # acts on cacheable requests. #default: # prefer_direct off # tag: always_direct # usage: always_direct allow|deny [!]aclname ... # # here can use acl elements specify requests should # always forwarded squid origin servers without using # any peers. example, directly forward requests # local servers ignoring parents or siblings may have use # something like: # # acl local-servers dstdomain my.domain.net # always_direct allow local-servers # # to forward ftp requests directly, use # # acl ftp proto ftp # always_direct allow ftp # # note: there similar, opposite option named # 'never_direct'. need aware "always_direct deny # foo" not same thing "never_direct allow foo". # may need use deny rule exclude more-specific case of # some other rule. example: # # acl local-external dstdomain external.foo.net # acl local-servers dstdomain .foo.net # always_direct deny local-external # always_direct allow local-servers # # note: if goal make client forward request # directly origin server bypassing squid needs # to done in client configuration. squid configuration # can tell squid how squid should fetch object. # # note: directive not related caching. replies # is cached usual if use always_direct. not cache # the replies see 'cache' directive. # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # tag: never_direct # usage: never_direct allow|deny [!]aclname ... # # never_direct opposite of always_direct. please read # the description always_direct if have not already. # # with 'never_direct' can use acl elements specify # requests should never forwarded directly origin # servers. example, force use of proxy # requests, except in local domain use like: # # acl local-servers dstdomain .foo.net # never_direct deny local-servers # never_direct allow # # or if squid inside firewall , there local intranet # servers inside firewall use like: # # acl local-intranet dstdomain .foo.net # acl local-external dstdomain external.foo.net # always_direct deny local-external # always_direct allow local-intranet # never_direct allow # # this clause supports both fast , slow acl types. # see http://wiki.squid-cache.org/squidfaq/squidacl details. #default: # none # advanced networking options # ----------------------------------------------------------------------------- # tag: incoming_icp_average #default: # incoming_icp_average 6 # tag: incoming_http_average #default: # incoming_http_average 4 # tag: incoming_dns_average #default: # incoming_dns_average 4 # tag: min_icp_poll_cnt #default: # min_icp_poll_cnt 8 # tag: min_dns_poll_cnt #default: # min_dns_poll_cnt 8 # tag: min_http_poll_cnt # heavy voodoo here. can't believe reading this. # are crazy? don't think adjusting these unless # you understand algorithms in comm_select.c first! #default: # min_http_poll_cnt 8 # tag: accept_filter # freebsd: # # the name of accept(2) filter install on squid's # listen socket(s). feature perhaps specific # freebsd , requires support in kernel. # # the 'httpready' filter delays delivering new connections # to squid until full http request has been received. # see accf_http(9) man page details. # # the 'dataready' filter delays delivering new connections # to squid until there data process. # see accf_dataready(9) man page details. # # linux: # # the 'data' filter delays delivering of new connections # to squid until there data process tcp_accept_defer. # you may optionally specify number of seconds wait # 'data=n' n number of seconds. defaults 30 # if not specified. see tcp(7) man page details. #example: ## freebsd #accept_filter httpready ## linux #accept_filter data #default: # none # tag: client_ip_max_connections # set absolute limit on number of connections single # client ip can use. more , squid begin drop # new connections client until closes links. # # note global limit. affects http, htcp, gopher , ftp # connections client. finer control use acl access controls. # # requires client_db enabled (the default). # # warning: may noticably slow down traffic received via external proxies # or nat devices , cause them rebound error messages clients. #default: # client_ip_max_connections -1 # tag: tcp_recv_bufsize (bytes) # size of receive buffer set tcp sockets. # as easy change kernel's default. set 0 use # the default buffer size. #default: # tcp_recv_bufsize 0 bytes # icap options # ----------------------------------------------------------------------------- # tag: icap_enable on|off # if want enable icap module support, set on. #default: # icap_enable off # tag: icap_connect_timeout # this parameter specifies how long wait tcp connect # the requested icap server complete before giving , either # terminating http transaction or bypassing failure. # # the default optional services peer_connect_timeout. # the default essential services connect_timeout. # if option explicitly set, value applies services. #default: # none # tag: icap_io_timeout time-units # this parameter specifies how long wait i/o activity on # an established, active icap connection before giving , # either terminating http transaction or bypassing # failure. # # the default read_timeout. #default: # none # tag: icap_service_failure_limit # the limit specifies number of failures squid tolerates # when establishing new tcp connection icap service. if # the number of failures exceeds limit, icap service # not used new icap requests until time refresh # options. per-service failure counter reset 0 each # time squid fetches new service options. # # a negative value disables limit. without limit, icap # service not considered down due connectivity failures # between icap options requests. #default: # icap_service_failure_limit 10 # tag: icap_service_revival_delay # the delay specifies number of seconds wait after icap # options request failure before requesting options again. # failed icap service considered "down" until fresh options # fetched. # # the actual delay cannot smaller hardcoded minimum # delay of 30 seconds. #default: # icap_service_revival_delay 180 # tag: icap_preview_enable on|off # the icap preview feature allows icap server handle # http message looking @ beginning of message body # or without receiving body @ all. in environments, # previews speedup icap processing. # # during icap options transaction, server may tell squid # http messages should previewed , how big preview should be. # squid not use preview if server did not request one. # # to disable icap preview icap services, regardless of # individual icap server options responses, set option "off". #example: #icap_preview_enable off #default: # icap_preview_enable on # tag: icap_preview_size # the default size of preview data sent icap server. # -1 means no preview. value might overwritten on per server # basis options requests. #default: # icap_preview_size -1 # tag: icap_default_options_ttl # the default ttl value icap options responses don't have # an options-ttl header. #default: # icap_default_options_ttl 60 # tag: icap_persistent_connections on|off # whether or not squid should use persistent connections # an icap server. #default: # icap_persistent_connections on # tag: icap_send_client_ip on|off # if enabled, squid shares http client ip information adaptation # services. icap, squid adds x-client-ip header icap requests. # for ecap, squid sets libecap::metaclientip transaction option. # # see also: adaptation_uses_indirect_client #default: # icap_send_client_ip off # tag: icap_send_client_username on|off # this sends authenticated http client username (if available) # the icap service. username value encoded based on # icap_client_username_encode option , sent using header # specified icap_client_username_header option. #default: # icap_send_client_username off # tag: icap_client_username_header # icap request header name use send_client_username. #default: # icap_client_username_header x-client-username # tag: icap_client_username_encode on|off # whether base64 encode authenticated client username. #default: # icap_client_username_encode off # tag: icap_service # defines single icap service using following format: # # icap_service service_name vectoring_point [options] service_url # # service_name: id # an opaque identifier must unique in squid.conf # # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # this specifies @ point of transaction processing # icap service should activated. *_postcache vectoring points # are not yet supported. # # service_url: icap://servername:port/servicepath # icap server , service location. # # icap not allow single service handle both reqmod , respmod # transactions. squid not enforce requirement. can specify # services same service_url , different vectoring_points. # can specify multiple identical services long # service_names differ. # # # service options separated white space. icap services support # the following name=value options: # # bypass=on|off|1|0 # if set 'on' or '1', icap service treated # optional. if service cannot reached or malfunctions, # squid try ignore errors , process message # if service not enabled. no icap errors can # bypassed. if set 0, icap service treated # essential , icap errors result in error page # returned http client. # # bypass off default: services treated essential. # # routing=on|off|1|0 # if set 'on' or '1', icap service allowed # dynamically change current message adaptation plan # returning chain of services used next. services # are specified using x-next-services icap response header # value, formatted comma-separated list of service names. # each named service should configured in squid.conf , # should have same method , vectoring point current # icap transaction. services violating these rules ignored. # an empty x-next-services value results in empty plan # ends current adaptation. # # routing not allowed default: icap x-next-services # response header ignored. # # ipv6=on|off # only has effect on split-stack systems. default on systems # is use ipv4-only connections. when set 'on' option # make squid use ipv6-only connections contact icap service. # # older icap_service format without optional named parameters # deprecated supported backward compatibility. # #example: #icap_service svcblocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod #icap_service svclogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod #default: # none # tag: icap_class # this deprecated option documented define icap service # chain, though defined set of similar, redundant # services, , chains not supported. # # to define set of redundant services, please use # adaptation_service_set directive. service chains, use # adaptation_service_chain. #default: # none # tag: icap_access # this option deprecated. please use adaptation_access, # has same icap functionality, comes better # documentation, , ecap support. #default: # none # ecap options # ----------------------------------------------------------------------------- # tag: ecap_enable on|off # note: option available if squid rebuilt # --enable-ecap option # # controls whether ecap support enabled. #default: # ecap_enable off # tag: ecap_service # note: option available if squid rebuilt # --enable-ecap option # # defines single ecap service # # ecap_service servicename vectoring_point bypass service_url # # vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache # this specifies @ point of transaction processing # ecap service should activated. *_postcache vectoring points # are not yet supported. # bypass = 1|0 # if set 1, ecap service treated optional. if # service cannot reached or malfunctions, squid try # ignore errors , process message if service # was not enabled. no ecap errors can bypassed. # if set 0, ecap service treated essential , # ecap errors result in error page returned # http client. # service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional # #example: #ecap_service service_1 reqmod_precache 0 ecap://filters-r-us/leakdetector?on_error=block #ecap_service service_2 respmod_precache 1 icap://filters-r-us/virusfilter?config=/etc/vf.cfg #default: # none # tag: loadable_modules # instructs squid load specified dynamic module(s) or activate # preloaded module(s). #example: #loadable_modules /usr/lib/minimaladapter.so #default: # none # message adaptation options # ----------------------------------------------------------------------------- # tag: adaptation_service_set # # configures ordered set of similar, redundant services. # useful when hot standby or backup adaptation servers available. # # adaptation_service_set set_name service_name1 service_name2 ... # # the named services used in set declaration order. first # applicable adaptation service set used first. next # applicable service tried if , if transaction # previous service fails , message waiting adapted still # intact. # # when adaptation starts, broken services ignored if # not part of set. broken service down optional service. # # the services in set must attached same vectoring point # (e.g., pre-cache) , use same adaptation method (e.g., reqmod). # # if services in set optional adaptation failures # bypassable. if services in set essential, # transaction failure 1 service may still retried using # another service set, when services fail, master # transaction fails well. # # a set may contain mix of optional , essential services, # is lead surprising results because broken services become # ignored (see above), making bypassable failures fatal. # technically, bypassability of last failed service # matters. # # see also: adaptation_access adaptation_service_chain # #example: #adaptation_service_set svcblocker urlfilterprimary urlfilterbackup #adaptation service_set svclogger loggerlocal loggerremote #default: # none # tag: adaptation_service_chain # # configures list of complementary services applied # one-by-one, forming adaptation chain or pipeline. useful # when squid must perform different adaptations on same message. # # adaptation_service_chain chain_name service_name1 svc_name2 ... # # the named services used in chain declaration order. first # applicable adaptation service chain used first. next # applicable service applied successful adaptation results of # the previous service in chain. # # when adaptation starts, broken services ignored if # not part of chain. broken service down optional service. # # request satisfaction terminates adaptation chain because squid # does not allow declaration of respmod services @ # "reqmod_precache" vectoring point (see icap_service or ecap_service). # # the services in chain must attached same vectoring point # (e.g., pre-cache) , use same adaptation method (e.g., reqmod). # # a chain may contain mix of optional , essential services. if # essential adaptation fails (or failure cannot bypassed # other reasons), master transaction fails. otherwise, failure # is bypassed if failed adaptation service not in chain. # # see also: adaptation_access adaptation_service_set # #example: #adaptation_service_chain svcrequest requestlogger urlfilter leakdetector #default: # none # tag: adaptation_access # sends http transaction icap or ecap adaptation service. # # adaptation_access service_name allow|deny [!]aclname... # adaptation_access set_name allow|deny [!]aclname... # # at each supported vectoring point, adaptation_access # statements processed in order appear in # configuration file. statements pointing following services # are ignored (i.e., skipped without checking acl): # # - services serving different vectoring points # - "broken-but-bypassable" services # - "up" services configured ignore such transactions # (e.g., based on icap transfer-ignore header). # # when set_name used, services in set checked # using same rules, find first applicable one. see # adaptation_service_set details. # # if access list checked , there match, # processing stops: "allow" rule, corresponding # adaptation service used transaction. "deny" # rule, no adaptation service activated. # # it not possible apply more 1 adaptation # service @ same vectoring point same http transaction. # # see also: icap_service , ecap_service # #example: #adaptation_access service_1 allow #default: # none # tag: adaptation_service_iteration_limit # limits number of iterations allowed when applying adaptation # services message. if longest adaptation set or chain # may have more 16 services, increase limit beyond # default value of 16. if detecting infinite iteration loops sooner # is critical, make iteration limit match actual number # of services in longest adaptation set or chain. # # infinite adaptation loops routing services. # # see also: icap_service routing=1 #default: # adaptation_service_iteration_limit 16 # tag: adaptation_masterx_shared_names # for each master transaction (i.e., http request , response # sequence, including related icap , ecap exchanges), squid # maintains table of metadata. table entries (name, value) # pairs shared among ecap , icap exchanges. table destroyed # with master transaction. # # this option specifies table entry names squid must accept # from , forward adaptation transactions. # # an icap reqmod or respmod transaction may set entry in # shared table returning icap header field name # specified in adaptation_masterx_shared_names. squid store # and forward icap header field subsequent icap # transactions within same master transaction scope. # # only 1 shared entry name supported @ time. # #example: ## share authentication information among icap services #adaptation_masterx_shared_names x-subscriber-id #default: # none # tag: icap_retry # this acl determines retriable icap transactions # retried. transactions received complete icap response # and did not have consume or produce http bodies receive # that response retriable. # # icap_retry allow|deny [!]aclname ... # # squid automatically retries icap i/o timeouts , errors # due persistent connection race conditions. # # see also: icap_retry_limit #default: # icap_retry deny # tag: icap_retry_limit # limits number of retries allowed. when set 0 (default), # no retries allowed. # # communication errors due persistent connection race # conditions unavoidable, automatically retried, , not # count against limit. # # see also: icap_retry #default: # icap_retry_limit 0 # dns options # ----------------------------------------------------------------------------- # tag: check_hostnames # for security , stability reasons squid can check # hostnames internet standard rfc compliance. if want # squid perform these checks turn directive on. #default: # check_hostnames off # tag: allow_underscore # underscore characters not strictly allowed in internet hostnames # but nevertheless used many sites. set off if want # squid strict standard. # this check performed when check_hostnames set on. #default: # allow_underscore on # tag: cache_dns_program # note: option available if squid rebuilt # --disable-internal-dns option # # specify location of executable dnslookup process. #default: # cache_dns_program /usr/lib/squid3/dnsserver # tag: dns_children # note: option available if squid rebuilt # --disable-internal-dns option # # the number of processes spawn service dns name lookups. # for heavily loaded caches on large servers, should # probably increase value @ least 10. maximum # is 32. default 5. # # you must have @ least 1 dnsserver process. #default: # dns_children 5 # tag: dns_retransmit_interval # initial retransmit interval dns queries. interval # doubled each time configured dns servers have been tried. # #default: # dns_retransmit_interval 5 seconds # tag: dns_timeout # dns query timeout. if no response received dns query # within time dns servers queried domain # are assumed unavailable. #default: # dns_timeout 2 minutes # tag: dns_defnames on|off # normally res_defnames resolver option disabled # (see res_init(3)). prevents caches in hierarchy # from interpreting single-component hostnames locally. allow # squid handle single-component names, enable option. #default: # dns_defnames off # tag: dns_nameservers # use if want specify list of dns name servers # (ip addresses) use instead of given in # /etc/resolv.conf file. # on windows platforms, if no value specified here or in # the /etc/resolv.conf file, list of dns name servers # taken windows registry, both static , dynamic dhcp # configurations supported. # # example: dns_nameservers 10.0.0.1 192.172.0.4 #default: # none # tag: hosts_file # location of host-local ip name-address associations # database. operating systems have such file on different # default locations: # - un*x & linux: /etc/hosts # - windows nt/2000: %systemroot%\system32\drivers\etc\hosts # (%systemroot% value install default c:\winnt) # - windows xp/2003: %systemroot%\system32\drivers\etc\hosts # (%systemroot% value install default c:\windows) # - windows 9x/me: %windir%\hosts # (%windir% value c:\windows) # - cygwin: /etc/hosts # # the file contains newline-separated definitions, in # form ip_address_in_dotted_form name [name ...] names # whitespace-separated. lines beginning hash (#) # character comments. # # the file checked @ startup , upon configuration. # if set 'none', won't checked. # if append_domain used, domain added # domain-local (i.e. not containing dot character) host # definitions. #default: # hosts_file /etc/hosts # tag: append_domain # appends local domain name hostnames without dots in # them. append_domain must begin period. # # be warned there internet names no dots in # them using top-domain names, setting may # cause internet sites become unavailable. # #example: # append_domain .yourdomain.com #default: # none # tag: ignore_unknown_nameservers # by default squid checks dns responses received # from same ip addresses sent to. if # don't match, squid ignores response , writes warning # message cache.log. can allow responses unknown # nameservers setting option 'off'. #default: # ignore_unknown_nameservers on # tag: dns_v4_fallback # standard practice dns lookup either or aaaa records # and use results if succeeds. looking other if # the first attempt fails or otherwise produces no results. # # that policy cause squid produce error pages # servers advertise aaaa unreachable on ipv6. # # if on squid lookup both aaaa , a, using both. # if off squid lookup aaaa , try if none found. # # warning: there possibly unwanted side-effects on: # *) doubles load placed squid on dns network. # *) may negatively impact connection delay times. #default: # dns_v4_fallback on # tag: dns_v4_first # with ipv6 internet being fast or faster ipv4 internet # for networks squid prefers contact websites on ipv6. # # this option reverses order of preference make squid contact # dual-stack websites on ipv4 first. squid still perform both # ipv6 , ipv4 dns lookups before connecting. # # warning: # option restrict situations under ipv6 # connectivity used (and tested). hiding network problems # otherwise detected , warned about. #default: # dns_v4_first off # tag: ipcache_size (number of entries) #default: # ipcache_size 1024 # tag: ipcache_low (percent) #default: # ipcache_low 90 # tag: ipcache_high (percent) # the size, low-, , high-water marks ip cache. #default: # ipcache_high 95 # tag: fqdncache_size (number of entries) # maximum number of fqdn cache entries. #default: # fqdncache_size 1024 # miscellaneous # ----------------------------------------------------------------------------- # tag: memory_pools on|off # if set, squid keep pools of allocated (but unused) memory # available future use. if memory premium on # system , believe malloc library outperforms squid # routines, disable this. #default: # memory_pools on # tag: memory_pools_limit (bytes) # used memory_pools on: # memory_pools_limit 50 mb # # if set non-zero value, squid keep @ specified # limit of allocated (but unused) memory in memory pools. free() # requests exceed limit handled malloc # library. squid not pre-allocate memory, safe-keeps # objects otherwise free()d. thus, safe set # memory_pools_limit reasonably high value if # configuration use less memory. # # if set none, squid keep memory can. is, there # will no limit on total amount of memory used safe-keeping. # # to disable memory allocation optimization, not set # memory_pools_limit 0 or none. set memory_pools "off" instead. # # an overhead maintaining memory pools not taken account # when limit checked. overhead close 4 bytes per # object kept. however, pools may _save_ memory because of # reduced memory thrashing in malloc library. #default: # memory_pools_limit 5 mb # tag: forwarded_for on|off|transparent|truncate|delete # if set "on", squid append client's ip address # in http requests forwards. default looks like: # # x-forwarded-for: 192.1.2.3 # # if set "off", appear # # x-forwarded-for: unknown # # if set "transparent", squid not alter # x-forwarded-for header in way. # # if set "delete", squid delete entire # x-forwarded-for header. # # if set "truncate", squid remove existing # x-forwarded-for entries, , place sole entry. #default: # forwarded_for on # tag: cachemgr_passwd # specify passwords cachemgr operations. # # usage: cachemgr_passwd password action action ... # # some valid actions (see cache manager menu full list): # 5min # 60min # asndb # authenticator # cbdata # client_list # comm_incoming # config * # counters # delay # digest_stats # dns # events # filedescriptors # fqdncache # histograms # http_headers # info # io # ipcache # mem # menu # netdb # non_peers # objects # offline_toggle * # pconn # peer_select # reconfigure * # redirector # refresh # server_list # shutdown * # store_digest # storedir # utilization # via_headers # vm_objects # # * indicates actions not performed without # valid password, others can performed if not listed here. # # to disable action, set password "disable". # to allow performing action without password, set # password "none". # # use keyword "all" set same password actions. # #example: # cachemgr_passwd secret shutdown # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable #default: # none # tag: client_db on|off # if want disable collecting per-client statistics, # turn off client_db here. #default: # client_db on # tag: refresh_all_ims on|off # when enable option, squid check # the origin server update when client sends # if-modified-since request. many browsers use ims # requests when user requests reload, , # ensures clients receive latest version. # # by default (off), squid may return not modified response # based on age of cached version. #default: # refresh_all_ims off # tag: reload_into_ims on|off # when enable option, client no-cache or ``reload'' # requests changed if-modified-since requests. # doing violates http standard. enabling # feature make liable problems # causes. # # see refresh_pattern more selective approach. #default: # reload_into_ims off # tag: maximum_single_addr_tries # this sets maximum number of connection attempts # host has 1 address (for multiple-address hosts, # each address tried once). # # the default value 1 attempt, (not recommended) # maximum 255 tries. warning message generated # if set value greater ten. # # note: in addition request re-forwarding # takes place if squid fails satisfying response. #default: # maximum_single_addr_tries 1 # tag: retry_on_error # if set on squid automatically retry requests when # receiving error response status 403 (forbidden), # 500 (internal error), 501 or 503 (service not available). # status 502 , 504 (gateway errors) retried. # # this useful if in complex cache hierarchy # work around access control errors. # # note: retry attempt find working destination. # which different server failed. #default: # retry_on_error off # tag: as_whois_server # whois server query numbers. note: numbers # queried when squid starts up, not every request. #default: # as_whois_server whois.ra.net # tag: offline_mode # enable option , squid never try validate cached # objects. #default: # offline_mode off # tag: uri_whitespace # what requests have whitespace characters in # uri. options: # # strip: whitespace characters stripped out of url. # this behavior recommended rfc2396. # deny: request denied. user receives "invalid # request" message. # allow: request allowed , uri not changed. # whitespace characters remain in uri. note # whitespace passed redirector processes if # are in use. # encode: the request allowed , whitespace characters # encoded according rfc1738. considered # a violation of http/1.1 # rfc because proxies not allowed rewrite uri's. # chop: the request allowed , uri chopped @ # first whitespace. might considered # violation. #default: # uri_whitespace strip # tag: chroot # specifies directory squid should chroot() while # initializing. causes squid drop root # privileges after initializing. means, example, if # use http port less 1024 , try reconfigure, may # get error saying squid can not open port. #default: # none # tag: balance_on_multiple_ip # modern ip resolvers in squid sort lookup results preferred access. # by default squid use these ip in order , rotates # the next listed when preffered fails. # # some load balancing servers based on round robin dns have been # found not preserve user session state across requests # to different ip addresses. # # enabling directive squid rotates ip's per request. #default: # balance_on_multiple_ip off # tag: pipeline_prefetch # to boost performance of pipelined requests closer # match of non-proxied environment squid can try fetch # up 2 requests in parallel pipeline. # # defaults off bandwidth management , access logging # reasons. # # warning: pipelining breaks ntlm , negotiate/kerberos authentication. #default: # pipeline_prefetch off # tag: high_response_time_warning (msec) # if one-minute median response time exceeds value, # squid prints warning debug level 0 # administrators attention. value in milliseconds. #default: # high_response_time_warning 0 # tag: high_page_fault_warning # if one-minute average page fault rate exceeds # value, squid prints warning debug level 0 # the administrators attention. value in page faults # per second. #default: # high_page_fault_warning 0 # tag: high_memory_warning # if memory usage (as determined mallinfo) exceeds # this amount, squid prints warning debug level 0 # the administrators attention. #default: # high_memory_warning 0 kb # tag: sleep_after_fork (microseconds) # when set non-zero value, main squid process # sleeps specified number of microseconds after fork() # system call. sleep may situation # system reports fork() failures due lack of (virtual) # memory. note, however, if have lot of child # processes, these sleep delays add , # squid not service requests amount of time # until child processes have been started. # on windows value less 1000 (1 milliseconds) # rounded 1000. #default: # sleep_after_fork 0 # tag: windows_ipaddrchangemonitor on|off # on windows squid default monitor ip address changes , # reconfigure after detected event. useful # proxies connected internet dial-up interfaces. # in cases (a proxy server acting vpn gateway one) # desiderable disable behaviour setting 'off'. # note: after changing this, squid service must restarted. #default: # windows_ipaddrchangemonitor on # tag: max_filedescriptors # the maximum number of filedescriptors supported. # # the default "0" means squid inherits current ulimit setting. # # note: changing requires restart of squid. # not comm loops supports large values. #default: # max_filedescriptors 0
squidguard.conf
code:# # config file squidguard # dbhome /usr/local/squidguard/db/bl logdir /usr/local/squidguard/log # # time rules: # abbrev weekdays: # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, = sat #time workhours { # weekly mtwhf 08:00 - 16:30 # date *-*-01 08:00 - 16:30 #} # # rewrite rules: # #rew dmz { # s@://admin/@://admin.foo.bar.de/@i # s@://foo.bar.de/@://www.foo.bar.de/@i #} # # source addresses: # #src admin { # ip 1.2.3.4 1.2.3.5 # user root foo bar # within workhours #} #src foo-clients { # ip 172.16.2.32-172.16.2.100 172.16.2.100 172.16.2.200 #} #src bar-clients { # ip 172.16.4.0/26 #} # # destination classes: # #dest { #} #dest local { #} dest adv { domainlist adv/domains urllist adv/urls #expressionlist dest/adult/expressions #redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } dest aggressive { domainlist aggressive/domains urllist aggressive/urls } dest alcohol { domainlist alcohol/domains urllist alcohol/urls } dest anonvpn { domainlist anonvpn/domains urllist anonvpn/urls } dest chat { domainlist chat/domains urllist chat/urls } dest costtraps { domainlist costtraps/domains urllist costtraps/urls } dest dating { domainlist dating/domains urllist dating/urls } dest drugs { domainlist drugs/domains urllist drugs/urls } dest dynamic { domainlist dynamic/domains urllist dynamic/urls } dest fortunetelling { domainlist fortunetelling/domains urllist fortunetelling/urls } dest forum { domainlist forum/domains urllist forum/urls } dest gamble { domainlist gamble/domains urllist gamble/urls } dest hacking { domainlist hacking/domains urllist hacking/urls } dest isp { domainlist isp/domains urllist isp/urls } dest models { domainlist models/domains urllist models/urls } dest movies { domainlist movies/domains urllist movies/urls } dest music { domainlist music/domains urllist music/urls } dest humor { domainlist recreation/humor/domains urllist recreation/humor/urls } dest redirector { domainlist redirector/domains urllist redirector/urls } dest ringtones { domainlist ringtones/domains urllist ringtones/urls } dest sex_lingerie { domainlist sex/lingerie/domains urllist sex/lingerie/urls } dest sex_education { domainlist sex/education/domains urllist sex/education/urls } dest socialnet { domainlist socialnet/domains urllist socialnet/urls } dest spyware { domainlist spyware/domains urllist spyware/urls } dest tracker { domainlist tracker/domains urllist tracker/urls } dest violence { domainlist violence/domains urllist violence/urls } dest warez { domainlist warez/domains urllist warez/urls } dest weapons { domainlist weapons/domains urllist weapons/urls } dest webphone { domainlist webphone/domains urllist webphone/urls } dest webtv { domainlist webtv/domains urllist webtv/urls } acl { # admin { # pass # } # # foo-clients within workhours { # pass !in-addr !adult # } else { # pass # } # # bar-clients { # pass local none # } default { pass !in-addr !aggressive !alcohol !anonvpn !chat !costtraps !dating !drugs !dynamic !fortunetelling !forum !gamble !hacking !isp !models !movies !music !humor !redirector !ringtones !sex_lingerie !sex_education !socialnet !spyware !tracker !violence !warez !weapons !webphone !webtv #rewrite dmz redirect http://google.com } }
Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Networking & Wireless [ubuntu] Squid and squidguard not working, proxy refusing connections
Ubuntu
Comments
Post a Comment