--------------------- PatchSet 11509 Date: 2007/06/25 23:34:57 Author: hno Branch: SQUID_2_6 Tag: (none) Log: MFC: squid.conf.default cleanups Merged changes: 2007/06/25 09:30:16 hno +5 -70 Minor squid.conf.default cleanup 2007/06/25 10:10:08 hno +44 -44 Clean up whitespace in squid.conf.default 2007/06/25 23:06:19 Emilio Casbas +24 -16 squid.conf.default cleanups Members: helpers/negotiate_auth/squid_kerb_auth/readme.txt:1.2.2.2->1.2.2.3 src/cf.data.pre:1.382.2.6->1.382.2.7 Index: squid/helpers/negotiate_auth/squid_kerb_auth/readme.txt =================================================================== RCS file: /cvsroot/squid/squid/helpers/negotiate_auth/squid_kerb_auth/readme.txt,v retrieving revision 1.2.2.2 retrieving revision 1.2.2.3 diff -u -r1.2.2.2 -r1.2.2.3 --- squid/helpers/negotiate_auth/squid_kerb_auth/readme.txt 24 Jun 2007 22:29:14 -0000 1.2.2.2 +++ squid/helpers/negotiate_auth/squid_kerb_auth/readme.txt 25 Jun 2007 23:34:57 -0000 1.2.2.3 @@ -78,6 +78,8 @@ The -i options creates informational messages whereas -d creates full debug output +The -i options creates informational messages whereas -d creates full debug output + If squid_kerb_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn. Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid/squid/src/cf.data.pre,v retrieving revision 1.382.2.6 retrieving revision 1.382.2.7 diff -u -r1.382.2.6 -r1.382.2.7 --- squid/src/cf.data.pre 23 Jun 2007 22:50:18 -0000 1.382.2.6 +++ squid/src/cf.data.pre 25 Jun 2007 23:34:57 -0000 1.382.2.7 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.382.2.6 2007/06/23 22:50:18 hno Exp $ +# $Id: cf.data.pre,v 1.382.2.7 2007/06/25 23:34:57 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -71,17 +71,15 @@ option. Most likely, you do not need to bind to a specific address, so you can use the port number alone. - The default port number is 3128. - If you are running Squid in accelerator mode, you probably want to listen on port 80 also, or instead. You may specify multiple socket addresses on multiple lines. - options are: + Options: transparent Support for transparent interception of - outgoing requests without browser settings + outgoing requests without browser settings. accel Accelerator mode. Also needs at least one of vhost/vport/defaultsite. @@ -89,21 +87,20 @@ defaultsite= Main web site name for accelerators. Implies accel. - vhost Accelerator using the Host header for + vhost Accelerator mode using the Host header for virtual domain support. Implies accel. vport Accelerator with IP based virtual host support. Implies accel. - vport= As above, but uses specified port number - rather than the http_port number. Implies accel. + vport=NN As above, but uses specified port number rather + than the http_port number. Implies accel. - urlgroup= Default urlgroup to mark requests - with (see also acl urlgroup and - url_rewrite_program) + urlgroup= Default urlgroup to mark requests with (see + also acl urlgroup and url_rewrite_program) - protocol= Protocol to reconstruct accelerated - requests with. Defaults to http. + protocol= Protocol to reconstruct accelerated requests with. + Defaults to http. no-connection-auth Prevent forwarding of Microsoft @@ -121,7 +118,7 @@ NOCOMMENT_START # Squid normally listens to port 3128 -http_port 3128 +http_port @DEFAULT_HTTP_PORT@ NOCOMMENT_END DOC_END @@ -151,16 +148,16 @@ defaultsite= The name of the https site presented on this port. Implies accel. - vhost Domain based virtual host support. Useful - in combination with a wildcard certificate or - other certificates valid for more than one domain. + vhost Accelerator mode using Host header for virtual + domain support. Requires a wildcard certificate + or other certificate valid for more than one domain. Implies accel. urlgroup= Default urlgroup to mark requests with (see also acl urlgroup and url_rewrite_program) - protocol= Protocol to reconstruct accelerated requests - with. Defaults to https. + protocol= Protocol to reconstruct accelerated requests with. + Defaults to https. cert= Path to SSL certificate (PEM format) @@ -209,7 +206,7 @@ Don't request client certificates immediately, but wait until acl processing requires a certificate (not yet implemented) - NO_DEFAULT_CA + NO_DEFAULT_CA Don't use the default CA lists built in to OpenSSL. NO_SESSION_REUSE @@ -297,6 +294,8 @@ LOC: Config.ssl_client.cafile TYPE: string DOC_START + file containing CA certificates to use when verifying server + certificates while proxying https:// URLs DOC_END NAME: sslproxy_capath @@ -305,6 +304,8 @@ LOC: Config.ssl_client.capath TYPE: string DOC_START + directory containing CA certificates to use when verifying + server certificates while proxying https:// URLs DOC_END NAME: sslproxy_flags @@ -313,6 +314,11 @@ LOC: Config.ssl_client.flags TYPE: string DOC_START + Various flags modifying the use of SSL while proxying https:// URLs: + DONT_VERIFY_PEER Accept certificates even if they fail to + verify. + NO_DEFAULT_CA Don't use the default CA list built in + to OpenSSL. DOC_END NAME: sslpassword_program @@ -348,7 +354,6 @@ "0". DOC_END - NAME: mcast_groups TYPE: wordlist LOC: Config.mcast_group_list @@ -376,7 +381,6 @@ By default, Squid doesn't listen on any multicast groups. DOC_END - NAME: udp_incoming_address TYPE: address LOC:Config.Addrs.udp_incoming @@ -576,7 +580,7 @@ cache as one participating in a CARP array. The 'f' values for all CARP parents must add up to 1.0. - + 'originserver' causes this parent peer to be contacted as a origin server. Meant to be used in accelerator setups. @@ -595,7 +599,7 @@ URL from the peer, and only consider the peer as alive if this monitoring is successful (default none) - use 'monitorsize=min[-max]' to limit the size range of + use 'monitorsize=min[-max]' to limit the size range of 'monitorurl' replies considered valid. Defaults to 0 to accept any size replies as valid. @@ -657,7 +661,7 @@ DONT_VERIFY_PEER Accept certificates even if they fail to verify. - NO_DEFAULT_CA + NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. @@ -714,7 +718,6 @@ section. DOC_END - NAME: neighbor_type_domain TYPE: hostdomaintype DEFAULT: none @@ -800,7 +803,6 @@ instead of to your parents. DOC_END - NAME: hierarchy_stoplist TYPE: wordlist DEFAULT: none @@ -817,7 +819,6 @@ NOCOMMENT_END DOC_END - NAME: cache no_cache TYPE: acl_access DEFAULT: none @@ -907,7 +908,6 @@ objects. DOC_END - NAME: cache_swap_low COMMENT: (percent, 0-100) TYPE: int @@ -1058,7 +1058,6 @@ See cache_replacement_policy for details. DOC_END - COMMENT_START LOGFILE PATHNAMES AND CACHE DIRECTORIES ----------------------------------------------------------------------------- @@ -1159,20 +1158,20 @@ current stripe. A value of "n" closer to 100 will cause COSS to waste less disk space by having multiple copies of an object on disk, but will increase the chances of overwriting a popular - object as COSS overwrites stripes. A value of "n" close to 0 + object as COSS overwrites stripes. A value of "n" close to 0 will cause COSS to keep all current objects in the current COSS stripe at the expense of the hit rate. The default value of 50 will allow any given object to be stored on disk a maximum of 2 times. - max-stripe-waste=n defines the maximum amount of space that COSS + max-stripe-waste=n defines the maximum amount of space that COSS will waste in a given stripe (in bytes). When COSS writes data to disk, it will potentially waste up to "max-size" worth of disk space for each 1MB of data written. If "max-size" is set to a large value (ie >256k), this could potentially result in large amounts of wasted disk space. Setting this value to a lower value (ie 64k or 32k) will result in a COSS disk refusing to cache - larger objects until the COSS stripe has been filled to within + larger objects until the COSS stripe has been filled to within "max-stripe-waste" of the maximum size (1MB). membufs=n defines the number of "memory-only" stripes that COSS @@ -1183,12 +1182,12 @@ number of memory-only buffers that COSS will use. The default value is 10, which will use a maximum of 10MB of memory for buffers. - maxfullbufs=n defines the maximum number of stripes a COSS partition + maxfullbufs=n defines the maximum number of stripes a COSS partition will have in memory waiting to be freed (either because the disk is - under load and the stripe is unwritten, or because clients are still - transferring data from objects using the memory). In order to try - and maintain a good hit rate under load, COSS will reserve the last - 2 full stripes for object hits. (ie a COSS cache_dir will reject + under load and the stripe is unwritten, or because clients are still + transferring data from objects using the memory). In order to try + and maintain a good hit rate under load, COSS will reserve the last + 2 full stripes for object hits. (ie a COSS cache_dir will reject new objects when the number of full stripes is 2 less than maxfullbufs) Common options: @@ -1222,7 +1221,7 @@ Defines an access log format. The is a string with embedded % format codes - + % format codes all follow the same basic structure where all but the formatcode is optional. Output strings are automatically escaped as required according to their context and the output format @@ -1230,7 +1229,7 @@ output format is desired. % ["|[|'|#] [-] [[0]width] [{argument}] formatcode - + " output in quoted string format [ output in squid text log format as used by log_mime_hdrs # output in URL quoted format @@ -1297,7 +1296,7 @@ must be defined in a logformat directive) those entries which match ALL the acl's specified (which must be defined in acl clauses). If no acl is specified, all requests will be logged to this file. - + To disable logging of a request use the filepath "none", in which case a logformat name should not be specified. @@ -1317,7 +1316,6 @@ logged to this file with the "debug_options" tag below. DOC_END - NAME: cache_store_log TYPE: string DEFAULT: @DEFAULT_STORE_LOG@ @@ -1330,8 +1328,7 @@ disable it. DOC_END - -NAME: cache_swap_log cache_swap_state +NAME: cache_swap_state cache_swap_log TYPE: string LOC: Config.Log.swap DEFAULT: none @@ -1365,7 +1362,6 @@ better to keep these log files in each 'cache_dir' directory. DOC_END - NAME: emulate_httpd_log COMMENT: on|off TYPE: onoff @@ -1400,7 +1396,6 @@ information if you do. DOC_END - NAME: log_mime_hdrs COMMENT: on|off TYPE: onoff @@ -1414,7 +1409,6 @@ formats). To enable this logging set log_mime_hdrs to 'on'. DOC_END - NAME: useragent_log TYPE: string LOC: Config.Log.useragent @@ -1426,7 +1420,6 @@ is disabled. DOC_END - NAME: referer_log referrer_log TYPE: string LOC: Config.Log.referer @@ -1440,7 +1433,6 @@ and we accept both. DOC_END - NAME: pid_filename TYPE: string DEFAULT: @DEFAULT_PID_FILE@ @@ -1449,7 +1441,6 @@ A filename to write the process-id to. To disable, enter "none". DOC_END - NAME: debug_options TYPE: eol DEFAULT: ALL,1 @@ -1463,7 +1454,6 @@ "ALL,1". DOC_END - NAME: log_fqdn COMMENT: on|off TYPE: onoff @@ -1477,7 +1467,6 @@ browsing. DOC_END - NAME: client_netmask TYPE: address LOC: Config.Addrs.client_netmask @@ -1489,7 +1478,6 @@ the last digit set to '0'. DOC_END - COMMENT_START OPTIONS FOR EXTERNAL SUPPORT PROGRAMS ----------------------------------------------------------------------------- @@ -1709,7 +1697,6 @@ Specify the location of the executable for the pinger process. DOC_END - NAME: url_rewrite_program redirect_program TYPE: programline LOC: Config.Program.url_rewrite.command @@ -1728,7 +1715,7 @@ The rewriter can also indicate that a client-side redirect should be performed to the new URL. This is done by prefixing the returned URL with "301:" (moved permanently) or 302: (moved temporarily). - + It can also return a "urlgroup" that can subsequently be matched in cache_peer_access and similar ACL driven rules. An urlgroup is returned by prefixing the returned url with "!urlgroup!" @@ -1832,7 +1819,6 @@ headers are sent. DOC_END - NAME: auth_param TYPE: authparam LOC: Config.authConfig @@ -1894,7 +1880,7 @@ auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd "children" numberofchildren - The number of authenticator processes to spawn. If you start too few + The number of authenticator processes to spawn. If you start too few squid will have to wait for them to process a backlog of credential verifications, slowing it down. When credential verifications are done via a (slow) network you are likely to need lots of @@ -1960,9 +1946,8 @@ auth_param digest program @DEFAULT_PREFIX@/libexec/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass - "children" numberofchildren - The number of authenticator processes to spawn. If you start too few + The number of authenticator processes to spawn. If you start too few squid will have to wait for them to process a backlog of credential verifications, slowing it down. When credential verifications are done via a (slow) network you are likely to need lots of @@ -2030,7 +2015,7 @@ auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp "children" numberofchildren - The number of authenticator processes to spawn. If you start too few + The number of authenticator processes to spawn. If you start too few squid will have to wait for them to process a backlog of credential verifications, slowing it down. When credential verifications are done via a (slow) network you are likely to need lots of @@ -2060,7 +2045,7 @@ auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego "children" numberofchildren - The number of authenticator processes to spawn. If you start too few + The number of authenticator processes to spawn. If you start too few squid will have to wait for them to process a backlog of credential verifications, slowing it down. When credential verifications are done via a (slow) network you are likely to need lots of @@ -2325,21 +2310,21 @@ ignore-no-cache ignores any ``Pragma: no-cache'' and ``Cache-control: no-cache'' headers received from a server. - The HTTP RFC never allows the use of this (Pragma) header - from a server, only a client, though plenty of servers + The HTTP RFC never allows the use of this (Pragma) header + from a server, only a client, though plenty of servers send it anyway. - - ignore-private ignores any ``Cache-control: private'' - headers received from a server. Doing this VIOLATES - the HTTP standard. Enabling this feature could make you + + ignore-private ignores any ``Cache-control: private'' + headers received from a server. Doing this VIOLATES + the HTTP standard. Enabling this feature could make you liable for problems which it causes. - + ignore-auth caches responses to requests with authorization, as if the originserver had sent ``Cache-control: public'' in the response header. Doing this VIOLATES the HTTP standard. Enabling this feature could make you liable for problems which it causes. - + Basically a cached object is: FRESH if expires < now, else STALE @@ -2435,7 +2420,6 @@ negative caching of DNS lookups. DOC_END - NAME: positive_dns_ttl COMMENT: time-units TYPE: time_t @@ -2447,7 +2431,6 @@ larger than negative_dns_ttl. DOC_END - NAME: negative_dns_ttl COMMENT: time-units TYPE: time_t @@ -2560,7 +2543,6 @@ default is 15 minutes. DOC_END - NAME: request_timeout TYPE: time_t LOC: Config.Timeout.request @@ -2570,7 +2552,6 @@ connection establishment. DOC_END - NAME: persistent_request_timeout TYPE: time_t LOC: Config.Timeout.persistent_request @@ -2580,7 +2561,6 @@ connection after the previous request completes. DOC_END - NAME: client_lifetime COMMENT: time-units TYPE: time_t @@ -2640,7 +2620,6 @@ many ident requests going at once. DOC_END - NAME: shutdown_lifetime COMMENT: time-units TYPE: time_t @@ -3013,19 +2992,8 @@ If none of the access lines cause a match the opposite of the last line will apply. Thus it is good practice to end the rules with an "allow all" or "deny all" entry. - -NOCOMMENT_START -#Recommended minimum configuration: -# -# Insert your own rules here. -# -# -# and finally allow by default -http_reply_access allow all -NOCOMMENT_END DOC_END - NAME: icp_access TYPE: acl_access LOC: Config.accessList.icp @@ -3082,7 +3050,6 @@ htcp_clr_access allow htcp_clr_peer DOC_END - NAME: miss_access TYPE: acl_access LOC: Config.accessList.miss @@ -3107,7 +3074,6 @@ NOCOMMENT_END DOC_END - NAME: cache_peer_access TYPE: peer_access DEFAULT: none @@ -3169,7 +3135,7 @@ tcp_outgoing_tos 0x20 good_service_net TOS/DSCP values really only have local significance - so you should - know what you're specifying. For more information, see RFC2474 and + know what you're specifying. For more information, see RFC2474 and RFC3260. The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or @@ -3284,7 +3250,6 @@ mail if the cache dies. The default is "webmaster". DOC_END - NAME: mail_from TYPE: string DEFAULT: none @@ -3292,11 +3257,10 @@ DOC_START From: email-address for mail sent when the cache dies. The default is to use 'appname@unique_hostname'. - Default appname value is "squid", can be changed into + Default appname value is "squid", can be changed into src/globals.h before building squid. DOC_END - NAME: mail_program TYPE: eol DEFAULT: mail @@ -3309,7 +3273,6 @@ Optional command line options can be specified. DOC_END - NAME: cache_effective_user TYPE: string DEFAULT: nobody @@ -3324,7 +3287,6 @@ cache_effective_user. DOC_END - NAME: cache_effective_group TYPE: string DEFAULT: none @@ -3339,7 +3301,6 @@ group. DOC_END - NAME: httpd_suppress_version_string COMMENT: on|off TYPE: onoff @@ -3349,7 +3310,6 @@ Suppress Squid version string info in HTTP headers and HTML error pages. DOC_END - NAME: visible_hostname TYPE: string LOC: Config.visibleHostname @@ -3362,7 +3322,6 @@ names with this setting. DOC_END - NAME: unique_hostname TYPE: string LOC: Config.uniqueHostname @@ -3373,7 +3332,6 @@ 'unique_hostname' so forwarding loops can be detected. DOC_END - NAME: hostname_aliases TYPE: wordlist LOC: Config.hostnameAliases @@ -3436,7 +3394,6 @@ NOCOMMENT_END DOC_END - NAME: announce_host TYPE: string DEFAULT: tracker.ircache.net @@ -3478,15 +3435,14 @@ discovery can not work on traffic towards the clients. This is the case when the intercepting device does not fully track connections and fails to forward ICMP must fragment messages - to the cache server. - + to the cache server. + If you have such setup and experience that certain clients sporadically hang or never complete requests set this to on. DOC_END - COMMENT_START - DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) + DELAY POOL PARAMETERS ----------------------------------------------------------------------------- COMMENT_END @@ -3637,10 +3593,8 @@ DOC_END COMMENT_START - WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS ----------------------------------------------------------------------------- - COMMENT_END NAME: wccp_router @@ -3700,7 +3654,7 @@ DEFAULT: 1 IFDEF: USE_WCCPv2 DOC_START - WCCP2 allows the setting of forwarding methods between the + WCCP2 allows the setting of forwarding methods between the router/switch and the cache. Valid values are as follows: 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) @@ -3716,7 +3670,7 @@ DEFAULT: 1 IFDEF: USE_WCCPv2 DOC_START - WCCP2 allows the setting of return methods between the + WCCP2 allows the setting of return methods between the router/switch and the cache for packets that the cache decides not to handle. Valid values are as follows: @@ -3726,7 +3680,7 @@ Currently (as of IOS 12.4) cisco routers only support GRE. Cisco switches only support the L2 redirect assignment. - If the "ip wccp redirect exclude in" command has been + If the "ip wccp redirect exclude in" command has been enabled on the cache interface, then it is still safe for the proxy server to use a l2 redirect method even if this option is set to GRE. @@ -3839,9 +3793,9 @@ COMMENT_START PERSISTENT CONNECTION HANDLING + ----------------------------------------------------------------------------- Also see "pconn_timeout" in the TIMEOUTS section - ----------------------------------------------------------------------------- COMMENT_END NAME: client_persistent_connections @@ -3957,8 +3911,6 @@ time. By default it is set to 10% of the Cache Digest. DOC_END - - COMMENT_START MISCELLANEOUS ----------------------------------------------------------------------------- @@ -3975,7 +3927,6 @@ This test can be disabled with the -D command line option. DOC_END - NAME: logfile_rotate TYPE: int DEFAULT: 10 @@ -3996,7 +3947,6 @@ '. DOC_END - NAME: append_domain TYPE: string LOC: Config.appendDomain @@ -4013,7 +3963,6 @@ append_domain .yourdomain.com DOC_END - NAME: tcp_recv_bufsize COMMENT: (bytes) TYPE: b_size_t @@ -4038,26 +3987,26 @@ messages. Use in accelerators to substitute the error messages returned - by servers with other custom errors. + by servers with other custom errors. error_map http://your.server/error/404.shtml 404 - + Requests for error messages is a GET request for the configured URL with the following special headers X-Error-Status: The received HTTP status code (i.e. 404) X-Request-URI: The requested URI where the error occurred - + In Addition the following headers are forwarded from the client request: - + User-Agent, Cookie, X-Forwarded-For, Via, Authorization, Accept, Referer - + And the following headers from the server reply: Server, Via, Location, Content-Location - + The reply returned to the client will carry the original HTTP headers from the real error message, but with the reply body of the configured error message. @@ -4173,7 +4122,6 @@ X-Forwarded-For: unknown DOC_END - NAME: log_icp_queries COMMENT: on|off TYPE: onoff @@ -4200,7 +4148,6 @@ on their cache_peer lines for connecting to you. DOC_END - NAME: minimum_direct_hops TYPE: int DEFAULT: 4 @@ -4312,7 +4259,6 @@ turn off client_db here. DOC_END - NAME: netdb_low TYPE: int DEFAULT: 900 @@ -4330,7 +4276,6 @@ entries will be deleted until the low mark is reached. DOC_END - NAME: netdb_ping_period TYPE: time_t LOC: Config.Netdb.period @@ -4341,7 +4286,6 @@ network. The default is five minutes. DOC_END - NAME: query_icmp COMMENT: on|off TYPE: onoff @@ -4969,7 +4913,7 @@ LOC: Config.onoff.balance_on_multiple_ip DEFAULT: on DOC_START - Some load balancing servers based on round robin DNS have been + Some load balancing servers based on round robin DNS have been found not to preserve user session state across requests to different IP addresses.