--------------------- PatchSet 11460 Date: 2007/06/03 00:15:53 Author: hno Branch: SQUID_2_6 Tag: (none) Log: Author: adrian Shuffle around various configuration options into their own sections Merged changes: 11429 2007/05/13 21:26:47 hno +154 -153 Move the delay pool parameters up before the MISC section (was in the middle of it..) 11429(11434) 2007/05/13 23:38:55 adrian +203 -195 Shuffle the WCCPv1/WCCPv2 options around into its own defined section. 11429(11435) 2007/05/13 23:41:25 adrian +50 -43 Shift persistent connections options out of "miscellaneous" and into 11429(11436) 2007/05/14 00:05:26 adrian +74 -69 Shuffle Cache Digest options into its own section; capitalise section names. Members: src/cf.data.pre:1.382.2.2->1.382.2.3 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid/squid/src/cf.data.pre,v retrieving revision 1.382.2.2 retrieving revision 1.382.2.3 diff -u -r1.382.2.2 -r1.382.2.3 --- squid/src/cf.data.pre 24 Apr 2007 21:30:03 -0000 1.382.2.2 +++ squid/src/cf.data.pre 3 Jun 2007 00:15:53 -0000 1.382.2.3 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.382.2.2 2007/04/24 21:30:03 hno Exp $ +# $Id: cf.data.pre,v 1.382.2.3 2007/06/03 00:15:53 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -3483,1098 +3483,1227 @@ sporadically hang or never complete requests set this to on. DOC_END + COMMENT_START - MISCELLANEOUS + DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) ----------------------------------------------------------------------------- COMMENT_END -NAME: dns_testnames -TYPE: wordlist -LOC: Config.dns_testname_list +NAME: delay_pools +TYPE: delay_pool_count +DEFAULT: 0 +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This represents the number of delay pools to be used. For example, + if you have one class 2 delay pool and one class 3 delays pool, you + have a total of 2 delay pools. +DOC_END + +NAME: delay_class +TYPE: delay_pool_class DEFAULT: none -DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com +IFDEF: DELAY_POOLS +LOC: Config.Delay DOC_START - The DNS tests exit as soon as the first site is successfully looked up + This defines the class of each delay pool. There must be exactly one + delay_class line for each delay pool. For example, to define two + delay pools, one of class 2 and one of class 3, the settings above + and here would be: - This test can be disabled with the -D command line option. -DOC_END +Example: + delay_pools 2 # 2 delay pools + delay_class 1 2 # pool 1 is a class 2 pool + delay_class 2 3 # pool 2 is a class 3 pool + The delay pool classes are: -NAME: logfile_rotate -TYPE: int -DEFAULT: 10 -LOC: Config.Log.rotateNumber -DOC_START - Specifies the number of logfile rotations to make when you - type 'squid -k rotate'. The default is 10, which will rotate - with extensions 0 through 9. Setting logfile_rotate to 0 will - disable the rotation, but the logfiles are still closed and - re-opened. This will enable you to rename the logfiles - yourself just before sending the rotate signal. + class 1 Everything is limited by a single aggregate + bucket. - Note, the 'squid -k rotate' command normally sends a USR1 - signal to the running squid process. In certain situations - (e.g. on Linux with Async I/O), USR1 is used for other - purposes, so -k rotate uses another signal. It is best to get - in the habit of using 'squid -k rotate' instead of 'kill -USR1 - '. -DOC_END + class 2 Everything is limited by a single aggregate + bucket as well as an "individual" bucket chosen + from bits 25 through 32 of the IP address. + class 3 Everything is limited by a single aggregate + bucket as well as a "network" bucket chosen + from bits 17 through 24 of the IP address and a + "individual" bucket chosen from bits 17 through + 32 of the IP address. -NAME: append_domain -TYPE: string -LOC: Config.appendDomain + NOTE: If an IP address is a.b.c.d + -> bits 25 through 32 are "d" + -> bits 17 through 24 are "c" + -> bits 17 through 32 are "c * 256 + d" +DOC_END + +NAME: delay_access +TYPE: delay_pool_access DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay DOC_START - Appends local domain name to hostnames without any dots in - them. append_domain must begin with a period. - - Be warned there are now Internet names with no dots in - them using only top-domain names, so setting this may - cause some Internet sites to become unavailable. + This is used to determine which delay pool a request falls into. -Example: - append_domain .yourdomain.com -DOC_END + delay_access is sorted per pool and the matching starts with pool 1, + then pool 2, ..., and finally pool N. The first delay pool where the + request is allowed is selected for the request. If it does not allow + the request to any pool then the request is not delayed (default). + For example, if you want some_big_clients in delay + pool 1 and lotsa_little_clients in delay pool 2: -NAME: tcp_recv_bufsize -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 bytes -LOC: Config.tcpRcvBufsz -DOC_START - Size of receive buffer to set for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. +Example: + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all DOC_END -NAME: error_map -TYPE: errormap -LOC: Config.errorMapList +NAME: delay_parameters +TYPE: delay_pool_rates DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay DOC_START - Map errors to custom messages + This defines the parameters for a delay pool. Each delay pool has + a number of "buckets" associated with it, as explained in the + description of delay_class. For a class 1 delay pool, the syntax is: - error_map message_url http_status ... +delay_parameters pool aggregate - http_status ... is a list of HTTP status codes or Squid error - messages. + For a class 2 delay pool: - Use in accelerators to substitute the error messages returned - by servers with other custom errors. +delay_parameters pool aggregate individual - error_map http://your.server/error/404.shtml 404 - - Requests for error messages is a GET request for the configured - URL with the following special headers + For a class 3 delay pool: - X-Error-Status: The received HTTP status code (i.e. 404) - X-Request-URI: The requested URI where the error occurred - - In Addition the following headers are forwarded from the client - request: - - User-Agent, Cookie, X-Forwarded-For, Via, Authorization, - Accept, Referer - - And the following headers from the server reply: +delay_parameters pool aggregate network individual - Server, Via, Location, Content-Location - - The reply returned to the client will carry the original HTTP - headers from the real error message, but with the reply body - of the configured error message. + The variables here are: -DOC_END + pool a pool number - ie, a number between 1 and the + number specified in delay_pools as used in + delay_class lines. -NAME: err_html_text -TYPE: eol -LOC: Config.errHtmlText -DEFAULT: none -DOC_START - HTML text to include in error messages. Make this a "mailto" - URL to your admin address, or maybe just a link to your - organizations Web page. + aggregate the "delay parameters" for the aggregate bucket + (class 1, 2, 3). - To include this in your error messages, you must rewrite - the error template files (found in the "errors" directory). - Wherever you want the 'err_html_text' line to appear, - insert a %L tag in the error template file. -DOC_END + individual the "delay parameters" for the individual + buckets (class 2, 3). -NAME: deny_info -TYPE: denyinfo -LOC: Config.denyInfoList -DEFAULT: none -DOC_START - Usage: deny_info err_page_name acl - or deny_info http://... acl - Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + network the "delay parameters" for the network buckets + (class 3). - This can be used to return a ERR_ page for requests which - do not pass the 'http_access' rules. A single ACL will cause - the http_access check to fail. If a 'deny_info' line exists - for that ACL Squid returns a corresponding error page. + A pair of delay parameters is written restore/maximum, where restore is + the number of bytes (not bits - modem and network speeds are usually + quoted in bits) per second placed into the bucket, and maximum is the + maximum number of bytes which can be in the bucket at any time. - You may use ERR_ pages that come with Squid or create your own pages - and put them into the configured errors/ directory. + For example, if delay pool number 1 is a class 2 delay pool as in the + above example, and is being used to strictly limit each host to 64kbps + (plus overheads), with no overall limit, the line is: - Alternatively you can specify an error URL. The browsers will - get redirected (302) to the specified URL. %s in the redirection - URL will be replaced by the requested URL. +delay_parameters 1 -1/-1 8000/8000 - Alternatively you can tell Squid to reset the TCP connection - by specifying TCP_RESET. -DOC_END + Note that the figure -1 is used to represent "unlimited". -NAME: memory_pools -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.mem_pools -DOC_START - If set, Squid will keep pools of allocated (but unused) memory - available for future use. If memory is a premium on your - system and you believe your malloc library outperforms Squid - routines, disable this. + And, if delay pool number 2 is a class 3 delay pool as in the above + example, and you want to limit it to a total of 256kbps (strict limit) + with each 8-bit network permitted 64kbps (strict limit) and each + individual host permitted 4800bps with a bucket maximum size of 64kb + to permit a decent web page to be downloaded at a decent speed + (if the network is not being limited due to overuse) but slow down + large downloads more significantly: + +delay_parameters 2 32000/32000 8000/8000 600/8000 + + There must be one delay_parameters line for each delay pool. DOC_END -NAME: memory_pools_limit -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 5 MB -LOC: Config.MemPools.limit +NAME: delay_initial_bucket_level +COMMENT: (percent, 0-100) +TYPE: ushort +DEFAULT: 50 +IFDEF: DELAY_POOLS +LOC: Config.Delay.initial DOC_START - Used only with memory_pools on: - memory_pools_limit 50 MB + The initial bucket percentage is used to determine how much is put + in each bucket when squid starts, is reconfigured, or first notices + a host accessing it (in class 2 and class 3, individual hosts and + networks only have buckets associated with them once they have been + "seen" by squid). +DOC_END - If set to a non-zero value, Squid will keep at most the specified - limit of allocated (but unused) memory in memory pools. All free() - requests that exceed this limit will be handled by your malloc - library. Squid does not pre-allocate any memory, just safe-keeps - objects that otherwise would be free()d. Thus, it is safe to set - memory_pools_limit to a reasonably high value even if your - configuration will use less memory. +COMMENT_START - If set to zero, Squid will keep all memory it can. That is, there - will be no limit on the total amount of memory used for safe-keeping. + WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS + ----------------------------------------------------------------------------- - To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. +COMMENT_END - An overhead for maintaining memory pools is not taken into account - when the limit is checked. This overhead is close to four bytes per - object kept. However, pools may actually _save_ memory because of - reduced memory thrashing in your malloc library. -DOC_END - -NAME: via -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.via -DOC_START - If set (default), Squid will include a Via header in requests and - replies. -DOC_END - -NAME: forwarded_for -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: opt_forwarded_for +NAME: wccp_router +TYPE: address +LOC: Config.Wccp.router +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCP +DOC_NONE +NAME: wccp2_router +TYPE: sockaddr_in_list +LOC: Config.Wccp2.router +DEFAULT: none +IFDEF: USE_WCCPv2 DOC_START - If set, Squid will include your system's IP address or name - in the HTTP requests it forwards. By default it looks like - this: + Use this option to define your WCCP ``home'' router for + Squid. - X-Forwarded-For: 192.1.2.3 + wccp_router supports a single WCCP(v1) router - If you disable this, it will appear as + wccp2_router supports multiple WCCPv2 routers - X-Forwarded-For: unknown + only one of the two may be used at the same time and defines + which version of WCCP to use. DOC_END +NAME: wccp_version +TYPE: int +LOC: Config.Wccp.version +DEFAULT: 4 +IFDEF: USE_WCCP +DOC_START + This directive is only relevant if you need to set up WCCP(v1) + to some very old and end-of-life Cisco routers. In all other + setups it must be left unset or at the default setting. + It defines an internal version in the WCCP(v1) protocol, + with version 4 being the officially documented protocol. + + According to some users, Cisco IOS 11.2 and earlier only + support WCCP version 3. If you're using that or an earlier + version of IOS, you may need to change this value to 3, otherwise + do not specify this parameter. +DOC_END -NAME: log_icp_queries -COMMENT: on|off +NAME: wccp2_rebuild_wait TYPE: onoff +LOC: Config.Wccp2.rebuildwait DEFAULT: on -LOC: Config.onoff.log_udp +IFDEF: USE_WCCPv2 DOC_START - If set, ICP queries are logged to access.log. You may wish - do disable this if your ICP load is VERY high to speed things - up or to simplify log analysis. + If this is enabled Squid will wait for the cache dir rebuild to finish + before sending the first wccp2 HereIAm packet DOC_END -NAME: icp_hit_stale -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.icp_hit_stale +NAME: wccp2_forwarding_method +TYPE: int +LOC: Config.Wccp2.forwarding_method +DEFAULT: 1 +IFDEF: USE_WCCPv2 DOC_START - If you want to return ICP_HIT for stale cache objects, set this - option to 'on'. If you have sibling relationships with caches - in other administrative domains, this should be 'off'. If you only - have sibling relationships with caches under your control, - it is probably okay to set this to 'on'. - If set to 'on', your siblings should use the option "allow-miss" - on their cache_peer lines for connecting to you. -DOC_END + WCCP2 allows the setting of forwarding methods between the + router/switch and the cache. Valid values are as follows: + 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) + 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) -NAME: minimum_direct_hops + Currently (as of IOS 12.4) cisco routers only support GRE. + Cisco switches only support the L2 redirect assignment method. +DOC_END + +NAME: wccp2_return_method TYPE: int -DEFAULT: 4 -LOC: Config.minDirectHops +LOC: Config.Wccp2.return_method +DEFAULT: 1 +IFDEF: USE_WCCPv2 DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many hops away. + WCCP2 allows the setting of return methods between the + router/switch and the cache for packets that the cache + decides not to handle. Valid values are as follows: + + 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) + 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) + + Currently (as of IOS 12.4) cisco routers only support GRE. + Cisco switches only support the L2 redirect assignment. + + If the "ip wccp redirect exclude in" command has been + enabled on the cache interface, then it is still safe for + the proxy server to use a l2 redirect method even if this + option is set to GRE. DOC_END -NAME: minimum_direct_rtt +NAME: wccp2_assignment_method TYPE: int -DEFAULT: 400 -LOC: Config.minDirectRtt +LOC: Config.Wccp2.assignment_method +DEFAULT: 1 +IFDEF: USE_WCCPv2 DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many rtt milliseconds away. + WCCP2 allows the setting of methods to assign the WCCP hash + Valid values are as follows: + + 1 - Hash assignment + 2 - Mask assignment + + As a general rule, cisco routers support the hash assignment method + and cisco switches support the mask assignment method. DOC_END -NAME: cachemgr_passwd -TYPE: cachemgrpasswd +NAME: wccp2_service +TYPE: wccp2_service +LOC: Config.Wccp2.info DEFAULT: none -LOC: Config.passwd_list +DEFAULT_IF_NONE: standard 0 +IFDEF: USE_WCCPv2 DOC_START - Specify passwords for cachemgr operations. - - Usage: cachemgr_passwd password action action ... + WCCP2 allows for multiple traffic services. There are two + types: "standard" and "dynamic". The standard type defines + one service id - http (id 0). The dynamic service ids can be from + 51 to 255 inclusive. In order to use a dynamic service id + one must define the type of traffic to be redirected; this is done + using the wccp2_service_info option. - Some valid actions are (see cache manager menu for a full list): - 5min - 60min - asndb - authenticator - cbdata - client_list - comm_incoming - config * - counters - delay - digest_stats - dns - events - filedescriptors - fqdncache - histograms - http_headers - info - io - ipcache - mem - menu - netdb - non_peers - objects - offline_toggle * - pconn - peer_select - redirector - refresh - server_list - shutdown * - store_digest - storedir - utilization - via_headers - vm_objects + The "standard" type does not require a wccp2_service_info option, + just specifying the service id will suffice. - * Indicates actions which will not be performed without a - valid password, others can be performed if not listed here. + MD5 service authentication can be enabled by adding + "password=" to the end of this service declaration. - To disable an action, set the password to "disable". - To allow performing an action without a password, set the - password to "none". + Examples: - Use the keyword "all" to set the same password for all actions. + wccp2_service standard 0 # for the 'web-cache' standard service + wccp2_service dynamic 80 # a dynamic service type which will be + # fleshed out with subsequent options. + wccp2_service standard 0 password=foo -Example: - cachemgr_passwd secret shutdown - cachemgr_passwd lesssssssecret info stats/objects - cachemgr_passwd disable all DOC_END -NAME: store_avg_object_size -COMMENT: (kbytes) -TYPE: kb_size_t -DEFAULT: 13 KB -LOC: Config.Store.avgObjectSize +NAME: wccp2_service_info +TYPE: wccp2_service_info +LOC: Config.Wccp2.info +DEFAULT: none +IFDEF: USE_WCCPv2 DOC_START - Average object size, used to estimate number of objects your - cache can hold. The default is 13 KB. -DOC_END + Dynamic WCCPv2 services require further information to define the + traffic you wish to have diverted. -NAME: store_objects_per_bucket -TYPE: int -DEFAULT: 20 -LOC: Config.Store.objectsPerBucket -DOC_START - Target number of objects per bucket in the store hash table. - Lowering this value increases the total number of buckets and - also the storage maintenance rate. The default is 50. -DOC_END + The format is: -NAME: client_db -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.client_db -DOC_START - If you want to disable collecting per-client statistics, - turn off client_db here. -DOC_END + wccp2_service_info protocol= flags=,.. + priority= ports=,.. + The relevant WCCPv2 flags: + + src_ip_hash, dst_ip_hash + + source_port_hash, dest_port_hash + + src_ip_alt_hash, dst_ip_alt_hash + + src_port_alt_hash, dst_port_alt_hash + + ports_source -NAME: netdb_low -TYPE: int -DEFAULT: 900 -LOC: Config.Netdb.low -DOC_NONE + The port list can be one to eight entries. -NAME: netdb_high + Example: + + wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source + priority=240 ports=80 + + Note: the service id must have been defined by a previous + 'wccp2_service dynamic ' entry. +DOC_END + +NAME: wccp2_weight TYPE: int -DEFAULT: 1000 -LOC: Config.Netdb.high +LOC: Config.Wccp2.weight +DEFAULT: 10000 +IFDEF: USE_WCCPv2 DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. + Each cache server gets assigned a set of the destination + hash proportional to their weight. DOC_END - -NAME: netdb_ping_period -TYPE: time_t -LOC: Config.Netdb.period -DEFAULT: 5 minutes +NAME: wccp_address +TYPE: address +LOC: Config.Wccp.address +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCP +DOC_NONE +NAME: wccp2_address +TYPE: address +LOC: Config.Wccp2.address +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCPv2 DOC_START - The minimum period for measuring a site. There will be at - least this much delay between successive pings to the same - network. The default is five minutes. + Use this option if you require WCCP to use a specific + interface address. + + The default behavior is to not bind to any specific address. DOC_END +COMMENT_START + PERSISTENT CONNECTION HANDLING -NAME: query_icmp -COMMENT: on|off + Also see "pconn_timeout" in the TIMEOUTS section + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: client_persistent_connections TYPE: onoff -DEFAULT: off -LOC: Config.onoff.query_icmp -DOC_START - If you want to ask your peers to include ICMP data in their ICP - replies, enable this option. +LOC: Config.onoff.client_pconns +DEFAULT: on +DOC_NONE - If your peer has configured Squid (during compilation) with - '--enable-icmp' that peer will send ICMP pings to origin server - sites of the URLs it receives. If you enable this option the - ICP replies from that peer will include the ICMP data (if available). - Then, when choosing a parent cache, Squid will choose the parent with - the minimal RTT to the origin server. When this happens, the - hierarchy field of the access.log will be - "CLOSEST_PARENT_MISS". This option is off by default. +NAME: server_persistent_connections +TYPE: onoff +LOC: Config.onoff.server_pconns +DEFAULT: on +DOC_START + Persistent connection support for clients and servers. By + default, Squid uses persistent connections (when allowed) + with its clients and servers. You can use these options to + disable persistent connections with clients and/or servers. DOC_END -NAME: test_reachability -COMMENT: on|off +NAME: persistent_connection_after_error TYPE: onoff +LOC: Config.onoff.error_pconns DEFAULT: off -LOC: Config.onoff.test_reachability DOC_START - When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH - instead of ICP_MISS if the target host is NOT in the ICMP - database, or has a zero RTT. + With this directive the use of persistent connections after + HTTP errors can be disabled. Useful if you have clients + who fail to handle errors on persistent connections proper. DOC_END -NAME: buffered_logs -COMMENT: on|off +NAME: detect_broken_pconn TYPE: onoff +LOC: Config.onoff.detect_broken_server_pconns DEFAULT: off -LOC: Config.onoff.buffered_logs DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). + Some servers have been found to incorrectly signal the use + of HTTP/1.0 persistent connections even on replies not + compatible, causing significant delays. This server problem + has mostly been seen on redirects. + + By enabling this directive Squid attempts to detect such + broken replies and automatically assume the reply is finished + after 10 seconds timeout. DOC_END -NAME: reload_into_ims -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off +COMMENT_START + CACHE DIGEST OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: digest_generation +IFDEF: USE_CACHE_DIGESTS TYPE: onoff -DEFAULT: off -LOC: Config.onoff.reload_into_ims +LOC: Config.onoff.digest_generation +DEFAULT: on DOC_START - When you enable this option, client no-cache or ``reload'' - requests will be changed to If-Modified-Since requests. - Doing this VIOLATES the HTTP standard. Enabling this - feature could make you liable for problems which it - causes. - - see also refresh_pattern for a more selective approach. + This controls whether the server will generate a Cache Digest + of its contents. By default, Cache Digest generation is + enabled if Squid is compiled with USE_CACHE_DIGESTS defined. DOC_END -NAME: always_direct -TYPE: acl_access -LOC: Config.accessList.AlwaysDirect -DEFAULT: none +NAME: digest_bits_per_entry +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.bits_per_entry +DEFAULT: 5 DOC_START - Usage: always_direct allow|deny [!]aclname ... + This is the number of bits of the server's Cache Digest which + will be associated with the Digest entry for a given HTTP + Method and URL (public key) combination. The default is 5. +DOC_END - Here you can use ACL elements to specify requests which should - ALWAYS be forwarded by Squid to the origin servers without using - any peers. For example, to always directly forward requests for - local servers ignoring any parents or siblings you may have use - something like: +NAME: digest_rebuild_period +IFDEF: USE_CACHE_DIGESTS +COMMENT: (seconds) +TYPE: time_t +LOC: Config.digest.rebuild_period +DEFAULT: 1 hour +DOC_START + This is the number of seconds between Cache Digest rebuilds. +DOC_END - acl local-servers dstdomain my.domain.net - always_direct allow local-servers +NAME: digest_rewrite_period +COMMENT: (seconds) +IFDEF: USE_CACHE_DIGESTS +TYPE: time_t +LOC: Config.digest.rewrite_period +DEFAULT: 1 hour +DOC_START + This is the number of seconds between Cache Digest writes to + disk. +DOC_END - To always forward FTP requests directly, use +NAME: digest_swapout_chunk_size +COMMENT: (bytes) +TYPE: b_size_t +IFDEF: USE_CACHE_DIGESTS +LOC: Config.digest.swapout_chunk_size +DEFAULT: 4096 bytes +DOC_START + This is the number of bytes of the Cache Digest to write to + disk at a time. It defaults to 4096 bytes (4KB), the Squid + default swap page. +DOC_END - acl FTP proto FTP - always_direct allow FTP +NAME: digest_rebuild_chunk_percentage +COMMENT: (percent, 0-100) +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.rebuild_chunk_percentage +DEFAULT: 10 +DOC_START + This is the percentage of the Cache Digest to be scanned at a + time. By default it is set to 10% of the Cache Digest. +DOC_END - NOTE: There is a similar, but opposite option named - 'never_direct'. You need to be aware that "always_direct deny - foo" is NOT the same thing as "never_direct allow foo". You - may need to use a deny rule to exclude a more-specific case of - some other rule. Example: - acl local-external dstdomain external.foo.net - acl local-servers dstdomain .foo.net - always_direct deny local-external - always_direct allow local-servers - NOTE: If your goal is to make the client forward the request - directly to the origin server bypassing Squid then this needs - to be done in the client configuration. Squid configuration - can only tell Squid how Squid should fetch the object. +COMMENT_START + MISCELLANEOUS + ----------------------------------------------------------------------------- +COMMENT_END - NOTE: This directive is not related to caching. The replies - is cached as usual even if you use always_direct. To not cache - the replies see no_cache. +NAME: dns_testnames +TYPE: wordlist +LOC: Config.dns_testname_list +DEFAULT: none +DEFAULT_IF_NONE: netscape.com internic.net nlanr.net microsoft.com +DOC_START + The DNS tests exit as soon as the first site is successfully looked up - This option replaces some v1.1 options such as local_domain - and local_ip. + This test can be disabled with the -D command line option. DOC_END -NAME: never_direct -TYPE: acl_access -LOC: Config.accessList.NeverDirect -DEFAULT: none + +NAME: logfile_rotate +TYPE: int +DEFAULT: 10 +LOC: Config.Log.rotateNumber DOC_START - Usage: never_direct allow|deny [!]aclname ... + Specifies the number of logfile rotations to make when you + type 'squid -k rotate'. The default is 10, which will rotate + with extensions 0 through 9. Setting logfile_rotate to 0 will + disable the rotation, but the logfiles are still closed and + re-opened. This will enable you to rename the logfiles + yourself just before sending the rotate signal. - never_direct is the opposite of always_direct. Please read - the description for always_direct if you have not already. + Note, the 'squid -k rotate' command normally sends a USR1 + signal to the running squid process. In certain situations + (e.g. on Linux with Async I/O), USR1 is used for other + purposes, so -k rotate uses another signal. It is best to get + in the habit of using 'squid -k rotate' instead of 'kill -USR1 + '. +DOC_END - With 'never_direct' you can use ACL elements to specify - requests which should NEVER be forwarded directly to origin - servers. For example, to force the use of a proxy for all - requests, except those in your local domain use something like: - acl local-servers dstdomain .foo.net - acl all src 0.0.0.0/0.0.0.0 - never_direct deny local-servers - never_direct allow all +NAME: append_domain +TYPE: string +LOC: Config.appendDomain +DEFAULT: none +DOC_START + Appends local domain name to hostnames without any dots in + them. append_domain must begin with a period. - or if Squid is inside a firewall and there are local intranet - servers inside the firewall use something like: + Be warned there are now Internet names with no dots in + them using only top-domain names, so setting this may + cause some Internet sites to become unavailable. - acl local-intranet dstdomain .foo.net - acl local-external dstdomain external.foo.net - always_direct deny local-external - always_direct allow local-intranet - never_direct allow all +Example: + append_domain .yourdomain.com +DOC_END - This option replaces some v1.1 options such as inside_firewall - and firewall_ip. + +NAME: tcp_recv_bufsize +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 0 bytes +LOC: Config.tcpRcvBufsz +DOC_START + Size of receive buffer to set for TCP sockets. Probably just + as easy to change your kernel's default. Set to zero to use + the default buffer size. DOC_END -NAME: header_access -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_access[] -LOC: Config.header_access +NAME: error_map +TYPE: errormap +LOC: Config.errorMapList DEFAULT: none DOC_START - Usage: header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. + Map errors to custom messages - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. + error_map message_url http_status ... - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. + http_status ... is a list of HTTP status codes or Squid error + messages. - For example, to achieve the same behavior as the old - 'http_anonymizer standard' option, you should use: + Use in accelerators to substitute the error messages returned + by servers with other custom errors. - header_access From deny all - header_access Referer deny all - header_access Server deny all - header_access User-Agent deny all - header_access WWW-Authenticate deny all - header_access Link deny all + error_map http://your.server/error/404.shtml 404 + + Requests for error messages is a GET request for the configured + URL with the following special headers - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: + X-Error-Status: The received HTTP status code (i.e. 404) + X-Request-URI: The requested URI where the error occurred + + In Addition the following headers are forwarded from the client + request: + + User-Agent, Cookie, X-Forwarded-For, Via, Authorization, + Accept, Referer + + And the following headers from the server reply: - header_access Allow allow all - header_access Authorization allow all - header_access WWW-Authenticate allow all - header_access Proxy-Authorization allow all - header_access Proxy-Authenticate allow all - header_access Cache-Control allow all - header_access Content-Encoding allow all - header_access Content-Length allow all - header_access Content-Type allow all - header_access Date allow all - header_access Expires allow all - header_access Host allow all - header_access If-Modified-Since allow all - header_access Last-Modified allow all - header_access Location allow all - header_access Pragma allow all - header_access Accept allow all - header_access Accept-Charset allow all - header_access Accept-Encoding allow all - header_access Accept-Language allow all - header_access Content-Language allow all - header_access Mime-Version allow all - header_access Retry-After allow all - header_access Title allow all - header_access Connection allow all - header_access Proxy-Connection allow all - header_access All deny all + Server, Via, Location, Content-Location + + The reply returned to the client will carry the original HTTP + headers from the real error message, but with the reply body + of the configured error message. - By default, all headers are allowed (no anonymizing is - performed). DOC_END -NAME: header_replace -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_replace[] -LOC: Config.header_access +NAME: err_html_text +TYPE: eol +LOC: Config.errHtmlText DEFAULT: none DOC_START - Usage: header_replace header_name message - Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - - This option allows you to change the contents of headers - denied with header_access above, by replacing them with - some fixed string. This replaces the old fake_user_agent - option. + HTML text to include in error messages. Make this a "mailto" + URL to your admin address, or maybe just a link to your + organizations Web page. - By default, headers are removed if denied. + To include this in your error messages, you must rewrite + the error template files (found in the "errors" directory). + Wherever you want the 'err_html_text' line to appear, + insert a %L tag in the error template file. DOC_END -NAME: icon_directory -TYPE: string -LOC: Config.icons.directory -DEFAULT: @DEFAULT_ICON_DIR@ +NAME: deny_info +TYPE: denyinfo +LOC: Config.denyInfoList +DEFAULT: none DOC_START - Where the icons are stored. These are normally kept in - @DEFAULT_ICON_DIR@ + Usage: deny_info err_page_name acl + or deny_info http://... acl + Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + + This can be used to return a ERR_ page for requests which + do not pass the 'http_access' rules. A single ACL will cause + the http_access check to fail. If a 'deny_info' line exists + for that ACL Squid returns a corresponding error page. + + You may use ERR_ pages that come with Squid or create your own pages + and put them into the configured errors/ directory. + + Alternatively you can specify an error URL. The browsers will + get redirected (302) to the specified URL. %s in the redirection + URL will be replaced by the requested URL. + + Alternatively you can tell Squid to reset the TCP connection + by specifying TCP_RESET. DOC_END -NAME: global_internal_static +NAME: memory_pools +COMMENT: on|off TYPE: onoff -LOC: Config.onoff.global_internal_static DEFAULT: on +LOC: Config.onoff.mem_pools DOC_START - This directive controls is Squid should intercept all requests for - /squid-internal-static/ no matter which host the URL is requesting - (default on setting), or if nothing special should be done for - such URLs (off setting). The purpose of this directive is to make - icons etc work better in complex cache hierarchies where it may - not always be possible for all corners in the cache mesh to reach - the server generating a directory listing. + If set, Squid will keep pools of allocated (but unused) memory + available for future use. If memory is a premium on your + system and you believe your malloc library outperforms Squid + routines, disable this. DOC_END -NAME: short_icon_urls -TYPE: onoff -LOC: Config.icons.use_short_names -DEFAULT: off +NAME: memory_pools_limit +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 5 MB +LOC: Config.MemPools.limit DOC_START - If this is enabled Squid will use short URLs for icons. + Used only with memory_pools on: + memory_pools_limit 50 MB - If off the URLs for icons will always be absolute URLs - including the proxy name and port. + If set to a non-zero value, Squid will keep at most the specified + limit of allocated (but unused) memory in memory pools. All free() + requests that exceed this limit will be handled by your malloc + library. Squid does not pre-allocate any memory, just safe-keeps + objects that otherwise would be free()d. Thus, it is safe to set + memory_pools_limit to a reasonably high value even if your + configuration will use less memory. + + If set to zero, Squid will keep all memory it can. That is, there + will be no limit on the total amount of memory used for safe-keeping. + + To disable memory allocation optimization, do not set + memory_pools_limit to 0. Set memory_pools to "off" instead. + + An overhead for maintaining memory pools is not taken into account + when the limit is checked. This overhead is close to four bytes per + object kept. However, pools may actually _save_ memory because of + reduced memory thrashing in your malloc library. DOC_END -NAME: error_directory -TYPE: string -LOC: Config.errorDirectory -DEFAULT: @DEFAULT_ERROR_DIR@ +NAME: via +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.via DOC_START - If you wish to create your own versions of the default - (English) error files, either to customize them to suit your - language or company copy the template English files to another - directory and point this tag at them. + If set (default), Squid will include a Via header in requests and + replies. DOC_END -NAME: maximum_single_addr_tries -TYPE: int -LOC: Config.retry.maxtries -DEFAULT: 1 +NAME: forwarded_for +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: opt_forwarded_for DOC_START - This sets the maximum number of connection attempts for a - host that only has one address (for multiple-address hosts, - each address is tried once). + If set, Squid will include your system's IP address or name + in the HTTP requests it forwards. By default it looks like + this: - The default value is one attempt, the (not recommended) - maximum is 255 tries. A warning message will be generated - if it is set to a value greater than ten. + X-Forwarded-For: 192.1.2.3 - Note: This is in addition to the request re-forwarding which - takes place if Squid fails to get a satisfying response. + If you disable this, it will appear as + + X-Forwarded-For: unknown DOC_END -NAME: retry_on_error + +NAME: log_icp_queries +COMMENT: on|off TYPE: onoff -LOC: Config.retry.onerror -DEFAULT: off +DEFAULT: on +LOC: Config.onoff.log_udp DOC_START - If set to on Squid will automatically retry requests when - receiving an error response. This is mainly useful if you - are in a complex cache hierarchy to work around access - control errors. + If set, ICP queries are logged to access.log. You may wish + do disable this if your ICP load is VERY high to speed things + up or to simplify log analysis. DOC_END -NAME: snmp_port -TYPE: ushort -LOC: Config.Port.snmp -DEFAULT: 3401 -IFDEF: SQUID_SNMP +NAME: icp_hit_stale +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.icp_hit_stale DOC_START - Squid can now serve statistics and status information via SNMP. - By default it listens to port 3401 on the machine. If you don't - wish to use SNMP, set this to "0". + If you want to return ICP_HIT for stale cache objects, set this + option to 'on'. If you have sibling relationships with caches + in other administrative domains, this should be 'off'. If you only + have sibling relationships with caches under your control, + it is probably okay to set this to 'on'. + If set to 'on', your siblings should use the option "allow-miss" + on their cache_peer lines for connecting to you. DOC_END -NAME: snmp_access -TYPE: acl_access -LOC: Config.accessList.snmp -DEFAULT: none -DEFAULT_IF_NONE: deny all -IFDEF: SQUID_SNMP -DOC_START - Allowing or denying access to the SNMP port. - - All access to the agent is denied by default. - usage: - snmp_access allow|deny [!]aclname ... +NAME: minimum_direct_hops +TYPE: int +DEFAULT: 4 +LOC: Config.minDirectHops +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many hops away. +DOC_END -Example: - snmp_access allow snmppublic localhost - snmp_access deny all +NAME: minimum_direct_rtt +TYPE: int +DEFAULT: 400 +LOC: Config.minDirectRtt +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many rtt milliseconds away. DOC_END -NAME: snmp_incoming_address -TYPE: address -LOC: Config.Addrs.snmp_incoming -DEFAULT: 0.0.0.0 -IFDEF: SQUID_SNMP -DOC_NONE -NAME: snmp_outgoing_address -TYPE: address -LOC: Config.Addrs.snmp_outgoing -DEFAULT: 255.255.255.255 -IFDEF: SQUID_SNMP +NAME: cachemgr_passwd +TYPE: cachemgrpasswd +DEFAULT: none +LOC: Config.passwd_list DOC_START - Just like 'udp_incoming_address' above, but for the SNMP port. + Specify passwords for cachemgr operations. - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. - snmp_outgoing_address is used for SNMP packets returned to SNMP - agents. + Usage: cachemgr_passwd password action action ... - The default snmp_incoming_address (0.0.0.0) is to listen on all - available network interfaces. + Some valid actions are (see cache manager menu for a full list): + 5min + 60min + asndb + authenticator + cbdata + client_list + comm_incoming + config * + counters + delay + digest_stats + dns + events + filedescriptors + fqdncache + histograms + http_headers + info + io + ipcache + mem + menu + netdb + non_peers + objects + offline_toggle * + pconn + peer_select + redirector + refresh + server_list + shutdown * + store_digest + storedir + utilization + via_headers + vm_objects - If snmp_outgoing_address is set to 255.255.255.255 (the default) - it will use the same socket as snmp_incoming_address. Only - change this if you want to have SNMP replies sent using another - address than where this Squid listens for SNMP queries. + * Indicates actions which will not be performed without a + valid password, others can be performed if not listed here. - NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. -DOC_END + To disable an action, set the password to "disable". + To allow performing an action without a password, set the + password to "none". -NAME: as_whois_server -TYPE: string -LOC: Config.as_whois_server -DEFAULT: whois.ra.net -DEFAULT_IF_NONE: whois.ra.net -DOC_START - WHOIS server to query for AS numbers. NOTE: AS numbers are - queried only when Squid starts up, not for every request. + Use the keyword "all" to set the same password for all actions. + +Example: + cachemgr_passwd secret shutdown + cachemgr_passwd lesssssssecret info stats/objects + cachemgr_passwd disable all DOC_END -NAME: wccp_router -TYPE: address -LOC: Config.Wccp.router -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_NONE -NAME: wccp2_router -TYPE: sockaddr_in_list -LOC: Config.Wccp2.router -DEFAULT: none -IFDEF: USE_WCCPv2 +NAME: store_avg_object_size +COMMENT: (kbytes) +TYPE: kb_size_t +DEFAULT: 13 KB +LOC: Config.Store.avgObjectSize DOC_START - Use this option to define your WCCP ``home'' router for - Squid. - - wccp_router supports a single WCCP(v1) router - - wccp2_router supports multiple WCCPv2 routers - - only one of the two may be used at the same time and defines - which version of WCCP to use. + Average object size, used to estimate number of objects your + cache can hold. The default is 13 KB. DOC_END -NAME: wccp_version +NAME: store_objects_per_bucket TYPE: int -LOC: Config.Wccp.version -DEFAULT: 4 -IFDEF: USE_WCCP +DEFAULT: 20 +LOC: Config.Store.objectsPerBucket DOC_START - This directive is only relevant if you need to set up WCCP(v1) - to some very old and end-of-life Cisco routers. In all other - setups it must be left unset or at the default setting. - It defines an internal version in the WCCP(v1) protocol, - with version 4 being the officially documented protocol. - - According to some users, Cisco IOS 11.2 and earlier only - support WCCP version 3. If you're using that or an earlier - version of IOS, you may need to change this value to 3, otherwise - do not specify this parameter. + Target number of objects per bucket in the store hash table. + Lowering this value increases the total number of buckets and + also the storage maintenance rate. The default is 50. DOC_END -NAME: wccp2_rebuild_wait +NAME: client_db +COMMENT: on|off TYPE: onoff -LOC: Config.Wccp2.rebuildwait DEFAULT: on -IFDEF: USE_WCCPv2 +LOC: Config.onoff.client_db DOC_START - If this is enabled Squid will wait for the cache dir rebuild to finish - before sending the first wccp2 HereIAm packet + If you want to disable collecting per-client statistics, + turn off client_db here. DOC_END -NAME: wccp2_forwarding_method -TYPE: int -LOC: Config.Wccp2.forwarding_method -DEFAULT: 1 -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows the setting of forwarding methods between the - router/switch and the cache. Valid values are as follows: - - 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) - 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) - Currently (as of IOS 12.4) cisco routers only support GRE. - Cisco switches only support the L2 redirect assignment method. -DOC_END +NAME: netdb_low +TYPE: int +DEFAULT: 900 +LOC: Config.Netdb.low +DOC_NONE -NAME: wccp2_return_method +NAME: netdb_high TYPE: int -LOC: Config.Wccp2.return_method -DEFAULT: 1 -IFDEF: USE_WCCPv2 +DEFAULT: 1000 +LOC: Config.Netdb.high DOC_START - WCCP2 allows the setting of return methods between the - router/switch and the cache for packets that the cache - decides not to handle. Valid values are as follows: + The low and high water marks for the ICMP measurement + database. These are counts, not percents. The defaults are + 900 and 1000. When the high water mark is reached, database + entries will be deleted until the low mark is reached. +DOC_END - 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) - 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) - Currently (as of IOS 12.4) cisco routers only support GRE. - Cisco switches only support the L2 redirect assignment. - - If the "ip wccp redirect exclude in" command has been - enabled on the cache interface, then it is still safe for - the proxy server to use a l2 redirect method even if this - option is set to GRE. +NAME: netdb_ping_period +TYPE: time_t +LOC: Config.Netdb.period +DEFAULT: 5 minutes +DOC_START + The minimum period for measuring a site. There will be at + least this much delay between successive pings to the same + network. The default is five minutes. DOC_END -NAME: wccp2_assignment_method -TYPE: int -LOC: Config.Wccp2.assignment_method -DEFAULT: 1 -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows the setting of methods to assign the WCCP hash - Valid values are as follows: - 1 - Hash assignment - 2 - Mask assignment +NAME: query_icmp +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.query_icmp +DOC_START + If you want to ask your peers to include ICMP data in their ICP + replies, enable this option. - As a general rule, cisco routers support the hash assignment method - and cisco switches support the mask assignment method. + If your peer has configured Squid (during compilation) with + '--enable-icmp' that peer will send ICMP pings to origin server + sites of the URLs it receives. If you enable this option the + ICP replies from that peer will include the ICMP data (if available). + Then, when choosing a parent cache, Squid will choose the parent with + the minimal RTT to the origin server. When this happens, the + hierarchy field of the access.log will be + "CLOSEST_PARENT_MISS". This option is off by default. DOC_END -NAME: wccp2_service -TYPE: wccp2_service -LOC: Config.Wccp2.info -DEFAULT: none -DEFAULT_IF_NONE: standard 0 -IFDEF: USE_WCCPv2 +NAME: test_reachability +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.test_reachability DOC_START - WCCP2 allows for multiple traffic services. There are two - types: "standard" and "dynamic". The standard type defines - one service id - http (id 0). The dynamic service ids can be from - 51 to 255 inclusive. In order to use a dynamic service id - one must define the type of traffic to be redirected; this is done - using the wccp2_service_info option. - - The "standard" type does not require a wccp2_service_info option, - just specifying the service id will suffice. - - MD5 service authentication can be enabled by adding - "password=" to the end of this service declaration. + When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH + instead of ICP_MISS if the target host is NOT in the ICMP + database, or has a zero RTT. +DOC_END - Examples: +NAME: buffered_logs +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.buffered_logs +DOC_START + cache.log log file is written with stdio functions, and as such + it can be buffered or unbuffered. By default it will be unbuffered. + Buffering it can speed up the writing slightly (though you are + unlikely to need to worry unless you run with tons of debugging + enabled in which case performance will suffer badly anyway..). +DOC_END - wccp2_service standard 0 # for the 'web-cache' standard service - wccp2_service dynamic 80 # a dynamic service type which will be - # fleshed out with subsequent options. - wccp2_service standard 0 password=foo +NAME: reload_into_ims +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.reload_into_ims +DOC_START + When you enable this option, client no-cache or ``reload'' + requests will be changed to If-Modified-Since requests. + Doing this VIOLATES the HTTP standard. Enabling this + feature could make you liable for problems which it + causes. + see also refresh_pattern for a more selective approach. DOC_END -NAME: wccp2_service_info -TYPE: wccp2_service_info -LOC: Config.Wccp2.info +NAME: always_direct +TYPE: acl_access +LOC: Config.accessList.AlwaysDirect DEFAULT: none -IFDEF: USE_WCCPv2 DOC_START - Dynamic WCCPv2 services require further information to define the - traffic you wish to have diverted. + Usage: always_direct allow|deny [!]aclname ... - The format is: + Here you can use ACL elements to specify requests which should + ALWAYS be forwarded by Squid to the origin servers without using + any peers. For example, to always directly forward requests for + local servers ignoring any parents or siblings you may have use + something like: - wccp2_service_info protocol= flags=,.. - priority= ports=,.. + acl local-servers dstdomain my.domain.net + always_direct allow local-servers - The relevant WCCPv2 flags: - + src_ip_hash, dst_ip_hash - + source_port_hash, dest_port_hash - + src_ip_alt_hash, dst_ip_alt_hash - + src_port_alt_hash, dst_port_alt_hash - + ports_source + To always forward FTP requests directly, use - The port list can be one to eight entries. + acl FTP proto FTP + always_direct allow FTP - Example: + NOTE: There is a similar, but opposite option named + 'never_direct'. You need to be aware that "always_direct deny + foo" is NOT the same thing as "never_direct allow foo". You + may need to use a deny rule to exclude a more-specific case of + some other rule. Example: - wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source - priority=240 ports=80 + acl local-external dstdomain external.foo.net + acl local-servers dstdomain .foo.net + always_direct deny local-external + always_direct allow local-servers - Note: the service id must have been defined by a previous - 'wccp2_service dynamic ' entry. -DOC_END + NOTE: If your goal is to make the client forward the request + directly to the origin server bypassing Squid then this needs + to be done in the client configuration. Squid configuration + can only tell Squid how Squid should fetch the object. -NAME: wccp2_weight -TYPE: int -LOC: Config.Wccp2.weight -DEFAULT: 10000 -IFDEF: USE_WCCPv2 -DOC_START - Each cache server gets assigned a set of the destination - hash proportional to their weight. + NOTE: This directive is not related to caching. The replies + is cached as usual even if you use always_direct. To not cache + the replies see no_cache. + + This option replaces some v1.1 options such as local_domain + and local_ip. DOC_END -NAME: wccp_address -TYPE: address -LOC: Config.Wccp.address -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_NONE -NAME: wccp2_address -TYPE: address -LOC: Config.Wccp2.address -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCPv2 +NAME: never_direct +TYPE: acl_access +LOC: Config.accessList.NeverDirect +DEFAULT: none DOC_START - Use this option if you require WCCP to use a specific - interface address. + Usage: never_direct allow|deny [!]aclname ... - The default behavior is to not bind to any specific address. -DOC_END + never_direct is the opposite of always_direct. Please read + the description for always_direct if you have not already. + With 'never_direct' you can use ACL elements to specify + requests which should NEVER be forwarded directly to origin + servers. For example, to force the use of a proxy for all + requests, except those in your local domain use something like: -COMMENT_START - DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) - ----------------------------------------------------------------------------- -COMMENT_END + acl local-servers dstdomain .foo.net + acl all src 0.0.0.0/0.0.0.0 + never_direct deny local-servers + never_direct allow all -NAME: delay_pools -TYPE: delay_pool_count -DEFAULT: 0 -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This represents the number of delay pools to be used. For example, - if you have one class 2 delay pool and one class 3 delays pool, you - have a total of 2 delay pools. + or if Squid is inside a firewall and there are local intranet + servers inside the firewall use something like: + + acl local-intranet dstdomain .foo.net + acl local-external dstdomain external.foo.net + always_direct deny local-external + always_direct allow local-intranet + never_direct allow all + + This option replaces some v1.1 options such as inside_firewall + and firewall_ip. DOC_END -NAME: delay_class -TYPE: delay_pool_class +NAME: header_access +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_access[] +LOC: Config.header_access DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay DOC_START - This defines the class of each delay pool. There must be exactly one - delay_class line for each delay pool. For example, to define two - delay pools, one of class 2 and one of class 3, the settings above - and here would be: + Usage: header_access header_name allow|deny [!]aclname ... -Example: - delay_pools 2 # 2 delay pools - delay_class 1 2 # pool 1 is a class 2 pool - delay_class 2 3 # pool 2 is a class 3 pool + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. - The delay pool classes are: + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. - class 1 Everything is limited by a single aggregate - bucket. + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. - class 2 Everything is limited by a single aggregate - bucket as well as an "individual" bucket chosen - from bits 25 through 32 of the IP address. + For example, to achieve the same behavior as the old + 'http_anonymizer standard' option, you should use: - class 3 Everything is limited by a single aggregate - bucket as well as a "network" bucket chosen - from bits 17 through 24 of the IP address and a - "individual" bucket chosen from bits 17 through - 32 of the IP address. + header_access From deny all + header_access Referer deny all + header_access Server deny all + header_access User-Agent deny all + header_access WWW-Authenticate deny all + header_access Link deny all - NOTE: If an IP address is a.b.c.d - -> bits 25 through 32 are "d" - -> bits 17 through 24 are "c" - -> bits 17 through 32 are "c * 256 + d" + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + header_access Allow allow all + header_access Authorization allow all + header_access WWW-Authenticate allow all + header_access Proxy-Authorization allow all + header_access Proxy-Authenticate allow all + header_access Cache-Control allow all + header_access Content-Encoding allow all + header_access Content-Length allow all + header_access Content-Type allow all + header_access Date allow all + header_access Expires allow all + header_access Host allow all + header_access If-Modified-Since allow all + header_access Last-Modified allow all + header_access Location allow all + header_access Pragma allow all + header_access Accept allow all + header_access Accept-Charset allow all + header_access Accept-Encoding allow all + header_access Accept-Language allow all + header_access Content-Language allow all + header_access Mime-Version allow all + header_access Retry-After allow all + header_access Title allow all + header_access Connection allow all + header_access Proxy-Connection allow all + header_access All deny all + + By default, all headers are allowed (no anonymizing is + performed). DOC_END -NAME: delay_access -TYPE: delay_pool_access +NAME: header_replace +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_replace[] +LOC: Config.header_access DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay DOC_START - This is used to determine which delay pool a request falls into. + Usage: header_replace header_name message + Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - delay_access is sorted per pool and the matching starts with pool 1, - then pool 2, ..., and finally pool N. The first delay pool where the - request is allowed is selected for the request. If it does not allow - the request to any pool then the request is not delayed (default). + This option allows you to change the contents of headers + denied with header_access above, by replacing them with + some fixed string. This replaces the old fake_user_agent + option. - For example, if you want some_big_clients in delay - pool 1 and lotsa_little_clients in delay pool 2: + By default, headers are removed if denied. +DOC_END -Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all +NAME: icon_directory +TYPE: string +LOC: Config.icons.directory +DEFAULT: @DEFAULT_ICON_DIR@ +DOC_START + Where the icons are stored. These are normally kept in + @DEFAULT_ICON_DIR@ DOC_END -NAME: delay_parameters -TYPE: delay_pool_rates -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay +NAME: global_internal_static +TYPE: onoff +LOC: Config.onoff.global_internal_static +DEFAULT: on DOC_START - This defines the parameters for a delay pool. Each delay pool has - a number of "buckets" associated with it, as explained in the - description of delay_class. For a class 1 delay pool, the syntax is: + This directive controls is Squid should intercept all requests for + /squid-internal-static/ no matter which host the URL is requesting + (default on setting), or if nothing special should be done for + such URLs (off setting). The purpose of this directive is to make + icons etc work better in complex cache hierarchies where it may + not always be possible for all corners in the cache mesh to reach + the server generating a directory listing. +DOC_END -delay_parameters pool aggregate +NAME: short_icon_urls +TYPE: onoff +LOC: Config.icons.use_short_names +DEFAULT: off +DOC_START + If this is enabled Squid will use short URLs for icons. - For a class 2 delay pool: + If off the URLs for icons will always be absolute URLs + including the proxy name and port. +DOC_END -delay_parameters pool aggregate individual +NAME: error_directory +TYPE: string +LOC: Config.errorDirectory +DEFAULT: @DEFAULT_ERROR_DIR@ +DOC_START + If you wish to create your own versions of the default + (English) error files, either to customize them to suit your + language or company copy the template English files to another + directory and point this tag at them. +DOC_END - For a class 3 delay pool: +NAME: maximum_single_addr_tries +TYPE: int +LOC: Config.retry.maxtries +DEFAULT: 1 +DOC_START + This sets the maximum number of connection attempts for a + host that only has one address (for multiple-address hosts, + each address is tried once). -delay_parameters pool aggregate network individual + The default value is one attempt, the (not recommended) + maximum is 255 tries. A warning message will be generated + if it is set to a value greater than ten. - The variables here are: + Note: This is in addition to the request re-forwarding which + takes place if Squid fails to get a satisfying response. +DOC_END - pool a pool number - ie, a number between 1 and the - number specified in delay_pools as used in - delay_class lines. +NAME: retry_on_error +TYPE: onoff +LOC: Config.retry.onerror +DEFAULT: off +DOC_START + If set to on Squid will automatically retry requests when + receiving an error response. This is mainly useful if you + are in a complex cache hierarchy to work around access + control errors. +DOC_END - aggregate the "delay parameters" for the aggregate bucket - (class 1, 2, 3). +NAME: snmp_port +TYPE: ushort +LOC: Config.Port.snmp +DEFAULT: 3401 +IFDEF: SQUID_SNMP +DOC_START + Squid can now serve statistics and status information via SNMP. + By default it listens to port 3401 on the machine. If you don't + wish to use SNMP, set this to "0". +DOC_END - individual the "delay parameters" for the individual - buckets (class 2, 3). +NAME: snmp_access +TYPE: acl_access +LOC: Config.accessList.snmp +DEFAULT: none +DEFAULT_IF_NONE: deny all +IFDEF: SQUID_SNMP +DOC_START + Allowing or denying access to the SNMP port. - network the "delay parameters" for the network buckets - (class 3). + All access to the agent is denied by default. + usage: - A pair of delay parameters is written restore/maximum, where restore is - the number of bytes (not bits - modem and network speeds are usually - quoted in bits) per second placed into the bucket, and maximum is the - maximum number of bytes which can be in the bucket at any time. + snmp_access allow|deny [!]aclname ... - For example, if delay pool number 1 is a class 2 delay pool as in the - above example, and is being used to strictly limit each host to 64kbps - (plus overheads), with no overall limit, the line is: +Example: + snmp_access allow snmppublic localhost + snmp_access deny all +DOC_END -delay_parameters 1 -1/-1 8000/8000 +NAME: snmp_incoming_address +TYPE: address +LOC: Config.Addrs.snmp_incoming +DEFAULT: 0.0.0.0 +IFDEF: SQUID_SNMP +DOC_NONE +NAME: snmp_outgoing_address +TYPE: address +LOC: Config.Addrs.snmp_outgoing +DEFAULT: 255.255.255.255 +IFDEF: SQUID_SNMP +DOC_START + Just like 'udp_incoming_address' above, but for the SNMP port. - Note that the figure -1 is used to represent "unlimited". + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + snmp_outgoing_address is used for SNMP packets returned to SNMP + agents. - And, if delay pool number 2 is a class 3 delay pool as in the above - example, and you want to limit it to a total of 256kbps (strict limit) - with each 8-bit network permitted 64kbps (strict limit) and each - individual host permitted 4800bps with a bucket maximum size of 64kb - to permit a decent web page to be downloaded at a decent speed - (if the network is not being limited due to overuse) but slow down - large downloads more significantly: + The default snmp_incoming_address (0.0.0.0) is to listen on all + available network interfaces. -delay_parameters 2 32000/32000 8000/8000 600/8000 + If snmp_outgoing_address is set to 255.255.255.255 (the default) + it will use the same socket as snmp_incoming_address. Only + change this if you want to have SNMP replies sent using another + address than where this Squid listens for SNMP queries. - There must be one delay_parameters line for each delay pool. + NOTE, snmp_incoming_address and snmp_outgoing_address can not have + the same value since they both use port 3401. DOC_END -NAME: delay_initial_bucket_level -COMMENT: (percent, 0-100) -TYPE: ushort -DEFAULT: 50 -IFDEF: DELAY_POOLS -LOC: Config.Delay.initial +NAME: as_whois_server +TYPE: string +LOC: Config.as_whois_server +DEFAULT: whois.ra.net +DEFAULT_IF_NONE: whois.ra.net DOC_START - The initial bucket percentage is used to determine how much is put - in each bucket when squid starts, is reconfigured, or first notices - a host accessing it (in class 2 and class 3, individual hosts and - networks only have buckets associated with them once they have been - "seen" by squid). + WHOIS server to query for AS numbers. NOTE: AS numbers are + queried only when Squid starts up, not for every request. DOC_END NAME: incoming_icp_average @@ -4822,72 +4951,6 @@ nameservers by setting this option to 'off'. DOC_END -NAME: digest_generation -IFDEF: USE_CACHE_DIGESTS -TYPE: onoff -LOC: Config.onoff.digest_generation -DEFAULT: on -DOC_START - This controls whether the server will generate a Cache Digest - of its contents. By default, Cache Digest generation is - enabled if Squid is compiled with USE_CACHE_DIGESTS defined. -DOC_END - -NAME: digest_bits_per_entry -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.bits_per_entry -DEFAULT: 5 -DOC_START - This is the number of bits of the server's Cache Digest which - will be associated with the Digest entry for a given HTTP - Method and URL (public key) combination. The default is 5. -DOC_END - -NAME: digest_rebuild_period -IFDEF: USE_CACHE_DIGESTS -COMMENT: (seconds) -TYPE: time_t -LOC: Config.digest.rebuild_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest rebuilds. -DOC_END - -NAME: digest_rewrite_period -COMMENT: (seconds) -IFDEF: USE_CACHE_DIGESTS -TYPE: time_t -LOC: Config.digest.rewrite_period -DEFAULT: 1 hour -DOC_START - This is the number of seconds between Cache Digest writes to - disk. -DOC_END - -NAME: digest_swapout_chunk_size -COMMENT: (bytes) -TYPE: b_size_t -IFDEF: USE_CACHE_DIGESTS -LOC: Config.digest.swapout_chunk_size -DEFAULT: 4096 bytes -DOC_START - This is the number of bytes of the Cache Digest to write to - disk at a time. It defaults to 4096 bytes (4KB), the Squid - default swap page. -DOC_END - -NAME: digest_rebuild_chunk_percentage -COMMENT: (percent, 0-100) -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.rebuild_chunk_percentage -DEFAULT: 10 -DOC_START - This is the percentage of the Cache Digest to be scanned at a - time. By default it is set to 10% of the Cache Digest. -DOC_END - NAME: chroot TYPE: string LOC: Config.chroot_dir @@ -4900,48 +4963,6 @@ error. DOC_END -NAME: client_persistent_connections -TYPE: onoff -LOC: Config.onoff.client_pconns -DEFAULT: on -DOC_NONE - -NAME: server_persistent_connections -TYPE: onoff -LOC: Config.onoff.server_pconns -DEFAULT: on -DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. -DOC_END - -NAME: persistent_connection_after_error -TYPE: onoff -LOC: Config.onoff.error_pconns -DEFAULT: off -DOC_START - With this directive the use of persistent connections after - HTTP errors can be disabled. Useful if you have clients - who fail to handle errors on persistent connections proper. -DOC_END - -NAME: detect_broken_pconn -TYPE: onoff -LOC: Config.onoff.detect_broken_server_pconns -DEFAULT: off -DOC_START - Some servers have been found to incorrectly signal the use - of HTTP/1.0 persistent connections even on replies not - compatible, causing significant delays. This server problem - has mostly been seen on redirects. - - By enabling this directive Squid attempts to detect such - broken replies and automatically assume the reply is finished - after 10 seconds timeout. -DOC_END - NAME: balance_on_multiple_ip TYPE: onoff LOC: Config.onoff.balance_on_multiple_ip