--------------------- PatchSet 11643 Date: 2007/09/05 21:48:01 Author: hno Branch: HEAD Tag: (none) Log: More reordering to have options in their proper groups Members: src/cf.data.pre:1.418->1.419 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid/squid/src/cf.data.pre,v retrieving revision 1.418 retrieving revision 1.419 diff -u -r1.418 -r1.419 --- squid/src/cf.data.pre 5 Sep 2007 21:25:21 -0000 1.418 +++ squid/src/cf.data.pre 5 Sep 2007 21:48:01 -0000 1.419 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.418 2007/09/05 21:25:21 hno Exp $ +# $Id: cf.data.pre,v 1.419 2007/09/05 21:48:01 hno Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -48,195 +48,6 @@ COMMENT_END COMMENT_START - NETWORK OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: http_port ascii_port -TYPE: http_port_list -DEFAULT: none -LOC: Config.Sockaddr.http -DOC_START - Usage: port [options] - hostname:port [options] - 1.2.3.4:port [options] - - The socket addresses where Squid will listen for HTTP client - requests. You may specify multiple socket addresses. - There are three forms: port alone, hostname with port, and - IP address with port. If you specify a hostname or IP - address, Squid binds the socket to that specific - address. This replaces the old 'tcp_incoming_address' - option. Most likely, you do not need to bind to a specific - address, so you can use the port number alone. - - If you are running Squid in accelerator mode, you - probably want to listen on port 80 also, or instead. - - The -I command line option will override the *first* port - specified here. - - You may specify multiple socket addresses on multiple lines. - - Options: - - transparent Support for transparent interception of - outgoing requests without browser settings. - - tproxy Support Linux TPROXY for spoofing outgoing - connections using the client IP address. - - accel Accelerator mode. Also needs at least one - of vhost/vport/defaultsite. - - defaultsite=domainname - What to use for the Host: header if it is not present - in a request. Determines what site (not origin server) - accelerators should consider the default. - Implies accel. - - vhost Accelerator mode using Host header for virtual - domain support. Implies accel. - - vport Accelerator with IP based virtual host support. - Implies accel. - - vport=NN As above, but uses specified port number rather - than the http_port number. Implies accel. - - urlgroup= Default urlgroup to mark requests with (see - also acl urlgroup and url_rewrite_program) - - protocol= Protocol to reconstruct accelerated requests with. - Defaults to http. - - no-connection-auth - Prevent forwarding of Microsoft connection oriented - authentication (NTLM, Negotiate and Kerberos) - - act-as-origin - Act is if this Squid is the origin server. - This currently means generate own Date: and - Expires: headers. Implies accel. - - If you run Squid on a dual-homed machine with an internal - and an external interface we recommend you to specify the - internal address:port in http_port. This way Squid will only be - visible on the internal address. - -NOCOMMENT_START -# Squid normally listens to port 3128 -http_port @DEFAULT_HTTP_PORT@ -NOCOMMENT_END -DOC_END - -NAME: https_port -IFDEF: USE_SSL -TYPE: https_port_list -DEFAULT: none -LOC: Config.Sockaddr.https -DOC_START - Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - - The socket address where Squid will listen for HTTPS client - requests. - - This is really only useful for situations where you are running - squid in accelerator mode and you want to do the SSL work at the - accelerator level. - - You may specify multiple socket addresses on multiple lines, - each with their own SSL certificate and/or options. - - Options: - - accel Accelerator mode. Also needs at least one of - defaultsite or vhost. - - defaultsite= The name of the https site presented on - this port. Implies accel. - - vhost Accelerator mode using Host header for virtual - domain support. Requires a wildcard certificate - or other certificate valid for more than one domain. - Implies accel. - - urlgroup= Default urlgroup to mark requests with (see - also acl urlgroup and url_rewrite_program). - - protocol= Protocol to reconstruct accelerated requests with. - Defaults to https. - - cert= Path to SSL certificate (PEM format). - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file. - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers. - - options= Various SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate. - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - and CRL lists to use when verifying client certificates. - - crlfile= File of additional CRL lists to use when verifying - the client certificate, in addition to CRLs stored in - the capath. Implies VERIFY_CRL flag below. - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges. - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate (not yet implemented). - NO_DEFAULT_CA - Don't use the default CA lists built in - to OpenSSL. - NO_SESSION_REUSE - Don't allow for session reuse. Each connection - will result in a new SSL session. - VERIFY_CRL - Verify CRL lists when accepting client - certificates. - VERIFY_CRL_ALL - Verify CRL lists for all certificates in the - client certificate chain. - - sslcontext= SSL session ID context identifier. - - vport Accelerator with IP based virtual host support. - - vport=NN As above, but uses specified port number rather - than the https_port number. Implies accel. - -DOC_END - -COMMENT_START OPTIONS FOR AUTHENTICATION ----------------------------------------------------------------------------- COMMENT_END @@ -834,52 +645,286 @@ NOCOMMENT_END DOC_END -NAME: follow_x_forwarded_for +NAME: http_access TYPE: acl_access -IFDEF: FOLLOW_X_FORWARDED_FOR -LOC: Config.accessList.followXFF +LOC: Config.accessList.http DEFAULT: none DEFAULT_IF_NONE: deny all DOC_START - Allowing or Denying the X-Forwarded-For header to be followed to - find the original source of a request. - - Requests may pass through a chain of several other proxies - before reaching us. The X-Forwarded-For header will contain a - comma-separated list of the IP addresses in the chain, with the - rightmost address being the most recent. + Allowing or Denying access based on defined access lists - If a request reaches us from a source that is allowed by this - configuration item, then we consult the X-Forwarded-For header - to see where that host received the request from. If the - X-Forwarded-For header contains multiple addresses, and if - acl_uses_indirect_client is on, then we continue backtracking - until we reach an address for which we are not allowed to - follow the X-Forwarded-For header, or until we reach the first - address in the list. (If acl_uses_indirect_client is off, then - it's impossible to backtrack through more than one level of - X-Forwarded-For addresses.) + Access to the HTTP port: + http_access allow|deny [!]aclname ... - The end result of this process is an IP address that we will - refer to as the indirect client address. This address may - be treated as the client address for access control, delay - pools and logging, depending on the acl_uses_indirect_client, - delay_pool_uses_indirect_client and log_uses_indirect_client - options. + NOTE on default values: - SECURITY CONSIDERATIONS: + If there are no "access" lines present, the default is to deny + the request. - Any host for which we follow the X-Forwarded-For header - can place incorrect information in the header, and Squid - will use the incorrect information as if it were the - source address of the request. This may enable remote - hosts to bypass any access control restrictions that are - based on the client's source addresses. + If none of the "access" lines cause a match, the default is the + opposite of the last line in the list. If the last line was + deny, the default is allow. Conversely, if the last line + is allow, the default will be deny. For these reasons, it is a + good idea to have an "deny all" or "allow all" entry at the end + of your access lists to avoid potential confusion. - For example: +NOCOMMENT_START +#Recommended minimum configuration: +# +# Only allow cachemgr access from localhost +http_access allow manager localhost +http_access deny manager +# Deny requests to unknown ports +http_access deny !Safe_ports +# Deny CONNECT to other than SSL ports +http_access deny CONNECT !SSL_ports +# +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS - acl localhost src 127.0.0.1 - acl my_other_proxy srcdomain .proxy.example.com +# Example rule allowing access from your local networks. Adapt +# to list your (internal) IP networks from where browsing should +# be allowed +#acl our_networks src 192.168.1.0/24 192.168.2.0/24 +#http_access allow our_networks + +# And finally deny all other access to this proxy +http_access deny all +NOCOMMENT_END +DOC_END + +NAME: http_access2 +TYPE: acl_access +LOC: Config.accessList.http2 +DEFAULT: none +DOC_START + Allowing or Denying access based on defined access lists + + Identical to http_access, but runs after redirectors. If not set + then only http_access is used. +DOC_END + +NAME: http_reply_access +TYPE: acl_access +LOC: Config.accessList.reply +DEFAULT: none +DEFAULT_IF_NONE: allow all +DOC_START + Allow replies to client requests. This is complementary to http_access. + + http_reply_access allow|deny [!] aclname ... + + NOTE: if there are no access lines present, the default is to allow + all replies + + If none of the access lines cause a match the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. +DOC_END + +NAME: icp_access +TYPE: acl_access +LOC: Config.accessList.icp +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to the ICP port based on defined + access lists + + icp_access allow|deny [!]aclname ... + + See http_access for details + +NOCOMMENT_START +#Allow ICP queries from everyone +icp_access allow all +NOCOMMENT_END +DOC_END + +NAME: htcp_access +IFDEF: USE_HTCP +TYPE: acl_access +LOC: Config.accessList.htcp +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to the HTCP port based on defined + access lists + + htcp_access allow|deny [!]aclname ... + + See http_access for details + +#Allow HTCP queries from everyone +htcp_access allow all +DOC_END + +NAME: htcp_clr_access +IFDEF: USE_HTCP +TYPE: acl_access +LOC: Config.accessList.htcp_clr +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to purge content using HTCP based + on defined access lists + + htcp_clr_access allow|deny [!]aclname ... + + See http_access for details + +#Allow HTCP CLR requests from trusted peers +acl htcp_clr_peer src 172.16.1.2 +htcp_clr_access allow htcp_clr_peer +DOC_END + +NAME: miss_access +TYPE: acl_access +LOC: Config.accessList.miss +DEFAULT: none +DOC_START + Use to force your neighbors to use you as a sibling instead of + a parent. For example: + + acl localclients src 172.16.0.0/16 + miss_access allow localclients + miss_access deny !localclients + + This means only your local clients are allowed to fetch + MISSES and all other clients can only fetch HITS. + + By default, allow all clients who passed the http_access rules + to fetch MISSES from us. + +NOCOMMENT_START +#Default setting: +# miss_access allow all +NOCOMMENT_END +DOC_END + +NAME: ident_lookup_access +TYPE: acl_access +IFDEF: USE_IDENT +DEFAULT: none +DEFAULT_IF_NONE: deny all +LOC: Config.accessList.identLookup +DOC_START + A list of ACL elements which, if matched, cause an ident + (RFC931) lookup to be performed for this request. For + example, you might choose to always perform ident lookups + for your main multi-user Unix boxes, but not for your Macs + and PCs. By default, ident lookups are not performed for + any requests. + + To enable ident lookups for specific client addresses, you + can follow this example: + + acl ident_aware_hosts src 198.168.1.0/255.255.255.0 + ident_lookup_access allow ident_aware_hosts + ident_lookup_access deny all + + Only src type ACL checks are fully supported. A src_domain + ACL might work at times, but it will not always provide + the correct result. +DOC_END + +NAME: reply_header_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 20 KB +LOC: Config.maxReplyHeaderSize +DOC_START + This specifies the maximum size for HTTP headers in a reply. + Reply headers are usually relatively small (about 512 bytes). + Placing a limit on the reply header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. +DOC_END + +NAME: reply_body_max_size +COMMENT: bytes allow|deny acl acl... +TYPE: body_size_t +DEFAULT: none +DEFAULT_IF_NONE: 0 allow all +LOC: Config.ReplyBodySize +DOC_START + This option specifies the maximum size of a reply body in bytes. + It can be used to prevent users from downloading very large files, + such as MP3's and movies. When the reply headers are received, + the reply_body_max_size lines are processed, and the first line with + a result of "allow" is used as the maximum body size for this reply. + This size is checked twice. First when we get the reply headers, + we check the content-length value. If the content length value exists + and is larger than the allowed size, the request is denied and the + user receives an error message that says "the request or reply + is too large." If there is no content-length, and the reply + size exceeds this limit, the client's connection is just closed + and they will receive a partial reply. + + WARNING: downstream caches probably can not detect a partial reply + if there is no content-length header, so they will cache + partial responses and give them out as hits. You should NOT + use this option if you have downstream caches. + + If you set this parameter to zero (the default), there will be + no limit imposed. +DOC_END + +COMMENT_START + OPTIONS FOR X-Forwarded-For + ----------------------------------------------------------------------------- +COMMEND_END + +NAME: follow_x_forwarded_for +TYPE: acl_access +IFDEF: FOLLOW_X_FORWARDED_FOR +LOC: Config.accessList.followXFF +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying the X-Forwarded-For header to be followed to + find the original source of a request. + + Requests may pass through a chain of several other proxies + before reaching us. The X-Forwarded-For header will contain a + comma-separated list of the IP addresses in the chain, with the + rightmost address being the most recent. + + If a request reaches us from a source that is allowed by this + configuration item, then we consult the X-Forwarded-For header + to see where that host received the request from. If the + X-Forwarded-For header contains multiple addresses, and if + acl_uses_indirect_client is on, then we continue backtracking + until we reach an address for which we are not allowed to + follow the X-Forwarded-For header, or until we reach the first + address in the list. (If acl_uses_indirect_client is off, then + it's impossible to backtrack through more than one level of + X-Forwarded-For addresses.) + + The end result of this process is an IP address that we will + refer to as the indirect client address. This address may + be treated as the client address for access control, delay + pools and logging, depending on the acl_uses_indirect_client, + delay_pool_uses_indirect_client and log_uses_indirect_client + options. + + SECURITY CONSIDERATIONS: + + Any host for which we follow the X-Forwarded-For header + can place incorrect information in the header, and Squid + will use the incorrect information as if it were the + source address of the request. This may enable remote + hosts to bypass any access control restrictions that are + based on the client's source addresses. + + For example: + + acl localhost src 127.0.0.1 + acl my_other_proxy srcdomain .proxy.example.com follow_x_forwarded_for allow localhost follow_x_forwarded_for allow my_other_proxy DOC_END @@ -920,191 +965,193 @@ direct client address in the access log. DOC_END -NAME: http_access -TYPE: acl_access -LOC: Config.accessList.http +COMMENT_START + NETWORK OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: http_port ascii_port +TYPE: http_port_list DEFAULT: none -DEFAULT_IF_NONE: deny all +LOC: Config.Sockaddr.http DOC_START - Allowing or Denying access based on defined access lists + Usage: port [options] + hostname:port [options] + 1.2.3.4:port [options] - Access to the HTTP port: - http_access allow|deny [!]aclname ... + The socket addresses where Squid will listen for HTTP client + requests. You may specify multiple socket addresses. + There are three forms: port alone, hostname with port, and + IP address with port. If you specify a hostname or IP + address, Squid binds the socket to that specific + address. This replaces the old 'tcp_incoming_address' + option. Most likely, you do not need to bind to a specific + address, so you can use the port number alone. - NOTE on default values: + If you are running Squid in accelerator mode, you + probably want to listen on port 80 also, or instead. - If there are no "access" lines present, the default is to deny - the request. + The -I command line option will override the *first* port + specified here. - If none of the "access" lines cause a match, the default is the - opposite of the last line in the list. If the last line was - deny, the default is allow. Conversely, if the last line - is allow, the default will be deny. For these reasons, it is a - good idea to have an "deny all" or "allow all" entry at the end - of your access lists to avoid potential confusion. + You may specify multiple socket addresses on multiple lines. -NOCOMMENT_START -#Recommended minimum configuration: -# -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager -# Deny requests to unknown ports -http_access deny !Safe_ports -# Deny CONNECT to other than SSL ports -http_access deny CONNECT !SSL_ports -# -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS + Options: -# Example rule allowing access from your local networks. Adapt -# to list your (internal) IP networks from where browsing should -# be allowed -#acl our_networks src 192.168.1.0/24 192.168.2.0/24 -#http_access allow our_networks + transparent Support for transparent interception of + outgoing requests without browser settings. -# And finally deny all other access to this proxy -http_access deny all -NOCOMMENT_END -DOC_END + tproxy Support Linux TPROXY for spoofing outgoing + connections using the client IP address. + + accel Accelerator mode. Also needs at least one + of vhost/vport/defaultsite. + + defaultsite=domainname + What to use for the Host: header if it is not present + in a request. Determines what site (not origin server) + accelerators should consider the default. + Implies accel. + + vhost Accelerator mode using Host header for virtual + domain support. Implies accel. + + vport Accelerator with IP based virtual host support. + Implies accel. + + vport=NN As above, but uses specified port number rather + than the http_port number. Implies accel. + + urlgroup= Default urlgroup to mark requests with (see + also acl urlgroup and url_rewrite_program) + + protocol= Protocol to reconstruct accelerated requests with. + Defaults to http. + + no-connection-auth + Prevent forwarding of Microsoft connection oriented + authentication (NTLM, Negotiate and Kerberos) + + act-as-origin + Act is if this Squid is the origin server. + This currently means generate own Date: and + Expires: headers. Implies accel. -NAME: http_access2 -TYPE: acl_access -LOC: Config.accessList.http2 -DEFAULT: none -DOC_START - Allowing or Denying access based on defined access lists + If you run Squid on a dual-homed machine with an internal + and an external interface we recommend you to specify the + internal address:port in http_port. This way Squid will only be + visible on the internal address. - Identical to http_access, but runs after redirectors. If not set - then only http_access is used. +NOCOMMENT_START +# Squid normally listens to port 3128 +http_port @DEFAULT_HTTP_PORT@ +NOCOMMENT_END DOC_END -NAME: http_reply_access -TYPE: acl_access -LOC: Config.accessList.reply +NAME: https_port +IFDEF: USE_SSL +TYPE: https_port_list DEFAULT: none -DEFAULT_IF_NONE: allow all +LOC: Config.Sockaddr.https DOC_START - Allow replies to client requests. This is complementary to http_access. + Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - http_reply_access allow|deny [!] aclname ... + The socket address where Squid will listen for HTTPS client + requests. - NOTE: if there are no access lines present, the default is to allow - all replies + This is really only useful for situations where you are running + squid in accelerator mode and you want to do the SSL work at the + accelerator level. - If none of the access lines cause a match the opposite of the - last line will apply. Thus it is good practice to end the rules - with an "allow all" or "deny all" entry. -DOC_END + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate and/or options. -NAME: icp_access -TYPE: acl_access -LOC: Config.accessList.icp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the ICP port based on defined - access lists + Options: - icp_access allow|deny [!]aclname ... + accel Accelerator mode. Also needs at least one of + defaultsite or vhost. - See http_access for details + defaultsite= The name of the https site presented on + this port. Implies accel. -NOCOMMENT_START -#Allow ICP queries from everyone -icp_access allow all -NOCOMMENT_END -DOC_END + vhost Accelerator mode using Host header for virtual + domain support. Requires a wildcard certificate + or other certificate valid for more than one domain. + Implies accel. -NAME: htcp_access -IFDEF: USE_HTCP -TYPE: acl_access -LOC: Config.accessList.htcp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the HTCP port based on defined - access lists + urlgroup= Default urlgroup to mark requests with (see + also acl urlgroup and url_rewrite_program). - htcp_access allow|deny [!]aclname ... + protocol= Protocol to reconstruct accelerated requests with. + Defaults to https. - See http_access for details + cert= Path to SSL certificate (PEM format). -#Allow HTCP queries from everyone -htcp_access allow all -DOC_END + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file. -NAME: htcp_clr_access -IFDEF: USE_HTCP -TYPE: acl_access -LOC: Config.accessList.htcp_clr -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to purge content using HTCP based - on defined access lists + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only - htcp_clr_access allow|deny [!]aclname ... + cipher= Colon separated list of supported ciphers. - See http_access for details + options= Various SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. -#Allow HTCP CLR requests from trusted peers -acl htcp_clr_peer src 172.16.1.2 -htcp_clr_access allow htcp_clr_peer -DOC_END + clientca= File containing the list of CAs to use when + requesting a client certificate. -NAME: miss_access -TYPE: acl_access -LOC: Config.accessList.miss -DEFAULT: none -DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. - acl localclients src 172.16.0.0/16 - miss_access allow localclients - miss_access deny !localclients + capath= Directory containing additional CA certificates + and CRL lists to use when verifying client certificates. - This means only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. + crlfile= File of additional CRL lists to use when verifying + the client certificate, in addition to CRLs stored in + the capath. Implies VERIFY_CRL flag below. - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges. -NOCOMMENT_START -#Default setting: -# miss_access allow all -NOCOMMENT_END -DOC_END + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate (not yet implemented). + NO_DEFAULT_CA + Don't use the default CA lists built in + to OpenSSL. + NO_SESSION_REUSE + Don't allow for session reuse. Each connection + will result in a new SSL session. + VERIFY_CRL + Verify CRL lists when accepting client + certificates. + VERIFY_CRL_ALL + Verify CRL lists for all certificates in the + client certificate chain. -NAME: ident_lookup_access -TYPE: acl_access -IFDEF: USE_IDENT -DEFAULT: none -DEFAULT_IF_NONE: deny all -LOC: Config.accessList.identLookup -DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. + sslcontext= SSL session ID context identifier. - To enable ident lookups for specific client addresses, you - can follow this example: + vport Accelerator with IP based virtual host support. - acl ident_aware_hosts src 198.168.1.0/255.255.255.0 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all + vport=NN As above, but uses specified port number rather + than the https_port number. Implies accel. - Only src type ACL checks are fully supported. A src_domain - ACL might work at times, but it will not always provide - the correct result. DOC_END NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp @@ -1175,59 +1222,6 @@ to off when using this directive in such configurations. DOC_END -NAME: reply_header_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 20 KB -LOC: Config.maxReplyHeaderSize -DOC_START - This specifies the maximum size for HTTP headers in a reply. - Reply headers are usually relatively small (about 512 bytes). - Placing a limit on the reply header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. -DOC_END - -NAME: reply_body_max_size -COMMENT: bytes allow|deny acl acl... -TYPE: body_size_t -DEFAULT: none -DEFAULT_IF_NONE: 0 allow all -LOC: Config.ReplyBodySize -DOC_START - This option specifies the maximum size of a reply body in bytes. - It can be used to prevent users from downloading very large files, - such as MP3's and movies. When the reply headers are received, - the reply_body_max_size lines are processed, and the first line with - a result of "allow" is used as the maximum body size for this reply. - This size is checked twice. First when we get the reply headers, - we check the content-length value. If the content length value exists - and is larger than the allowed size, the request is denied and the - user receives an error message that says "the request or reply - is too large." If there is no content-length, and the reply - size exceeds this limit, the client's connection is just closed - and they will receive a partial reply. - - WARNING: downstream caches probably can not detect a partial reply - if there is no content-length header, so they will cache - partial responses and give them out as hits. You should NOT - use this option if you have downstream caches. - - If you set this parameter to zero (the default), there will be - no limit imposed. -DOC_END - -NAME: log_access -TYPE: acl_access -LOC: Config.accessList.log -DEFAULT: none -COMMENT: allow|deny acl acl... -DOC_START - This options allows you to control which requests gets logged - to access.log (see access_log directive). Requests denied for - logging will also not be accounted for in performance counters. -DOC_END - COMMENT_START SSL OPTIONS ----------------------------------------------------------------------------- @@ -2211,6 +2205,17 @@ NOCOMMENT_END DOC_END +NAME: log_access +TYPE: acl_access +LOC: Config.accessList.log +DEFAULT: none +COMMENT: allow|deny acl acl... +DOC_START + This options allows you to control which requests gets logged + to access.log (see access_log directive). Requests denied for + logging will also not be accounted for in performance counters. +DOC_END + NAME: cache_log TYPE: string DEFAULT: @DEFAULT_CACHE_LOG@