squid/squid-conf

4708 lines
156 KiB
Plaintext
Raw Permalink Normal View History

# WELCOME TO SQUID 3.0.STABLE6
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#
# Configuration options can be included using the "include" directive.
# Include takes a list of files to include. Quoting and wildcards is
# supported.
#
# For example,
#
# include /path/to/included/file/squid.acl.config
#
# Includes can be nested up to a hard-coded depth of 16 levels.
# This arbitrary restriction is to prevent recursive include references
# from causing Squid entering an infinite loop whilst trying to load
# configuration files.
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order in which authentication schemes are presented to the client is
# dependent on the order the scheme first appears in config file. IE
# has a bug (it's not RFC 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognize the schemes offered even if you are using basic) either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authentication you must in addition make use of ACLs based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be re-challenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# WARNING: authentication can't be used in a transparently intercepting
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.
#
# === Parameters for the basic scheme follow. ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username password" and replies "OK" or
# "ERR" in an endless loop. "ERR" responses may optionally be followed
# by a error description available as %m in the returned error page.
# If you use an authenticator, make sure you have 1 acl of type proxy_auth.
#
# By default, the basic authentication scheme is not used unless a
# program is specified.
#
# If you want to use the traditional NCSA proxy authentication, set
# this line to something like
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# Squid will have to wait for them to process a backlog of credential
# verifications, slowing it down. When password verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
# auth_param basic children 5
#
# "concurrency" concurrency
# The number of concurrent requests the helper can process.
# The default of 0 is used for helpers who only supports
# one request at a time. Setting this changes the protocol used to
# include a channel number first on the request/response line, allowing
# multiple requests to be sent to the same helper in parallell without
# wating for the response.
# Must not be set unless it's known the helper supports this.
# auth_param basic concurrency 0
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the basic proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username:password pair is valid for - in other words how
# often the helper program is called for that user. Set this
# low to force revalidation with short lived passwords. Note
# setting this high does not impact your susceptibility
# to replay attacks unless you are using an one-time password
# system (such as SecureID). If you are using such a system,
# you will be vulnerable to replay attacks unless you also
# use the max_user_ip ACL in an http_access rule.
#
# "casesensitive" on|off
# Specifies if usernames are case sensitive. Most user databases are
# case insensitive allowing the same username to be spelled using both
# lower and upper case letters, but some are case sensitive. This
# makes a big difference for user_max_ip ACL processing and similar.
# auth_param basic casesensitive off
#
# === Parameters for the digest scheme follow ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such
# a program reads a line containing "username":"realm" and
# replies with the appropriate H(A1) value hex encoded or
# ERR if the user (or his H(A1) hash) does not exists.
# See rfc 2616 for the definition of H(A1).
# "ERR" responses may optionally be followed by a error description
# available as %m in the returned error page.
#
# By default, the digest authentication scheme is not used unless a
# program is specified.
#
# If you want to use a digest authenticator, set this line to
# something like
#
# auth_param digest program /usr/bin/digest_auth_pw /etc/digpass
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of H(A1) calculations, slowing it down.
# When the H(A1) calculations are done via a (slow) network
# you are likely to need lots of authenticator processes.
# auth_param digest children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the digest proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param digest realm Squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# Specifies the interval that nonces that have been issued
# to client_agent's are checked for validity.
#
# "nonce_max_duration" timeinterval
# Specifies the maximum length of time a given nonce will be
# valid for.
#
# "nonce_max_count" number
# Specifies the maximum number of times a given nonce can be
# used.
#
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behavior
# for nonce counts, or just incrementing (off - for use when
# useragents generate nonce counts that occasionally miss 1
# (ie, 1,2,4,6)). Default off.
#
# "check_nonce_count" on|off
# This directive if set to off can disable the nonce count check
# completely to work around buggy digest qop implementations in
# certain mainstream browser versions. Default on to check the
# nonce count to protect from authentication replay attacks.
#
# "post_workaround" on|off
# This is a workaround to certain buggy browsers who sends
# an incorrect request digest in POST requests when reusing
# the same nonce as acquired earlier on a GET request.
#
# === NTLM scheme options follow ===
#
# "program" cmdline
# Specify the command for the external NTLM authenticator.
# Such a program reads exchanged NTLMSSP packets with
# the browser via Squid until authentication is completed.
# If you use an NTLM authenticator, make sure you have 1 acl
# of type proxy_auth. By default, the NTLM authenticator_program
# is not used.
#
# auth_param ntlm program /usr/bin/ntlm_auth
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When credential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
#
# auth_param ntlm children 5
#
# "keep_alive" on|off
# If you experience problems with PUT/POST requests when using the
# Negotiate authentication scheme then you can try setting this to
# off. This will cause Squid to forcibly close the connection on
# the initial requests where the browser asks which schemes are
# supported by the proxy.
#
# auth_param ntlm keep_alive on
#
# === Options for configuring the NEGOTIATE auth-scheme follow ===
#
# "program" cmdline
# Specify the command for the external Negotiate authenticator.
# This protocol is used in Microsoft Active-Directory enabled setups with
# the Microsoft Internet Explorer or Mozilla Firefox browsers.
# Its main purpose is to exchange credentials with the Squid proxy
# using the Kerberos mechanisms.
# If you use a Negotiate authenticator, make sure you have at least one acl
# of type proxy_auth active. By default, the negotiate authenticator_program
# is not used.
# The only supported program for this role is the ntlm_auth
# program distributed as part of Samba, version 4 or later.
#
# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When crendential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
# auth_param negotiate children 5
#
# "keep_alive" on|off
# If you experience problems with PUT/POST requests when using the
# Negotiate authentication scheme then you can try setting this to
# off. This will cause Squid to forcibly close the connection on
# the initial requests where the browser asks which schemes are
# supported by the proxy.
#
# auth_param negotiate keep_alive on
#
#Recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour
# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in
# user cache since their last request. When the garbage
# interval passes, all user credentials that have passed their
# TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour
# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL,
# this directive controls how long Squid remembers the IP
# addresses associated with each user. Use a small value
# (e.g., 60 seconds) if your users might change addresses
# quickly, as is the case with dialups. You might be safe
# using a larger value (e.g., 2 hours) in a corporate LAN
# environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
# TAG: external_acl_type
# This option defines external acl classes using a helper program
# to look up the status
#
# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
#
# Options:
#
# ttl=n TTL in seconds for cached results (defaults to 3600
# for 1 hour)
# negative_ttl=n
# TTL for cached negative lookups (default same
# as ttl)
# children=n Number of acl helper processes spawn to service
# external acl lookups of this type. (default 5)
# concurrency=n concurrency level per process. Only used with helpers
# capable of processing more than one query at a time.
# cache=n result cache size, 0 is unbounded (default)
# grace=n Percentage remaining of TTL where a refresh of a
# cached entry should be initiated without needing to
# wait for a new reply. (default 0 for no grace period)
# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
#
# FORMAT specifications
#
# %LOGIN Authenticated user login name
# %EXT_USER Username from external acl
# %IDENT Ident user name
# %SRC Client IP
# %SRCPORT Client source port
# %URI Requested URI
# %DST Requested host
# %PROTO Requested protocol
# %PORT Requested port
# %PATH Requested URL path
# %METHOD Request method
# %MYADDR Squid interface address
# %MYPORT Squid http_port number
# %PATH Requested URL-path (including query-string if any)
# %USER_CERT SSL User certificate in PEM format
# %USER_CERTCHAIN SSL User certificate chain in PEM format
# %USER_CERT_xx SSL User certificate subject attribute xx
# %USER_CA_xx SSL User certificate issuer attribute xx
# %{Header} HTTP request header
# %{Hdr:member} HTTP request header list member
# %{Hdr:;member}
# HTTP request header list member using ; as
# list separator. ; can be any non-alphanumeric
# character.
#
# In addition to the above, any string specified in the referencing
# acl will also be included in the helper request line, after the
# specified formats (see the "acl external" directive)
#
# The helper receives lines per the above format specification,
# and returns lines starting with OK or ERR indicating the validity
# of the request and optionally followed by additional keywords with
# more details.
#
# General result syntax:
#
# OK/ERR keyword=value ...
#
# Defined keywords:
#
# user= The users name (login)
# password= The users password (for login= cache_peer option)
# message= Message describing the reason. Available as %o
# in error pages
# tag= Apply a tag to a request (for both ERR and OK results)
# Only sets a tag, does not alter existing tags.
# log= String to be logged in access.log. Available as
# %ea in logformat specifications
#
# If protocol=3.0 (the default) then URL escaping is used to protect
# each value in both requests and responses.
#
# If using protocol=2.5 then all values need to be enclosed in quotes
# if they may contain whitespace, or the whitespace escaped using \.
# And quotes or \ characters within the keyword value must be \ escaped.
#
# When using the concurrency= option the protocol is changed by
# introducing a query channel tag infront of the request/response.
# The query channel tag is a number between 0 and concurrency-1.
#
#Default:
# none
# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of the types described below
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP address)
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
# # Furthermore, the ARP ACL code is not portable to all operating systems.
# # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
# #
# # NOTE: Squid can only determine the MAC address for clients that are on
# # the same subnet. If the client is on a different subnet, then Squid cannot
# # find out its MAC address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
# acl aclname http_status 200 301 500- 400-403 ... # status code in reply
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname myportname 3128 ... # http(s)_port name
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below)
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # NOTE: proxy_auth can't be used in a transparent proxy as
# # the browser needs to be configured for using a proxy in order
# # to respond to proxy authentication.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
# # (the counter is reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
# acl aclname req_mime_type mime-type1 ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunneling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname rep_mime_type mime-type1 ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
# # types HTTP tunneling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known reply headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl acl_name external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned by external acl helper
# # use REQUIRED to accept any non-null user name.
#
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
# acl all src all
#
#Recommended minimum configuration:
acl password proxy_auth REQUIRED
acl lan src 127.0.0.1/255.255.255.255 # <insert the local network here>
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny !lan !localhost
http_access allow password
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
# TAG: http_reply_access
# Allow replies to client requests. This is complementary to http_access.
#
# http_reply_access allow|deny [!] aclname ...
#
# NOTE: if there are no access lines present, the default is to allow
# all replies
#
# If none of the access lines cause a match the opposite of the
# last line will apply. Thus it is good practice to end the rules
# with an "allow all" or "deny all" entry.
#
#Default:
# none
# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
# icp_access deny all
#
#Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all
# TAG: htcp_access
# Allowing or Denying access to the HTCP port based on defined
# access lists
#
# htcp_access allow|deny [!]aclname ...
#
# See http_access for details
#
# NOTE: The default if no htcp_access lines are present is to
# deny all traffic. This default may cause problems with peers
# using the htcp or htcp-oldsquid options.
#
#Default:
# htcp_access deny all
#
#Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access deny all
# TAG: htcp_clr_access
# Allowing or Denying access to purge content using HTCP based
# on defined access lists
#
# htcp_clr_access allow|deny [!]aclname ...
#
# See http_access for details
#
##Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src 172.16.1.2
#htcp_clr_access allow htcp_clr_peer
#
#Default:
# htcp_clr_access deny all
# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#Default setting:
# miss_access allow all
# TAG: ident_lookup_access
# A list of ACL elements which, if matched, cause an ident
# (RFC 931) lookup to be performed for this request. For
# example, you might choose to always perform ident lookups
# for your main multi-user Unix boxes, but not for your Macs
# and PCs. By default, ident lookups are not performed for
# any requests.
#
# To enable ident lookups for specific client addresses, you
# can follow this example:
#
# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
# ident_lookup_access allow ident_aware_hosts
# ident_lookup_access deny all
#
# Only src type ACL checks are fully supported. A src_domain
# ACL might work at times, but it will not always provide
# the correct result.
#
#Default:
# ident_lookup_access deny all
# TAG: reply_body_max_size size [acl acl...]
# This option specifies the maximum size of a reply body. It can be
# used to prevent users from downloading very large files, such as
# MP3's and movies. When the reply headers are received, the
# reply_body_max_size lines are processed, and the first line where
# all (if any) listed ACLs are true is used as the maximum body size
# for this reply.
#
# This size is checked twice. First when we get the reply headers,
# we check the content-length value. If the content length value exists
# and is larger than the allowed size, the request is denied and the
# user receives an error message that says "the request or reply
# is too large." If there is no content-length, and the reply
# size exceeds this limit, the client's connection is just closed
# and they will receive a partial reply.
#
# WARNING: downstream caches probably can not detect a partial reply
# if there is no content-length header, so they will cache
# partial responses and give them out as hits. You should NOT
# use this option if you have downstream caches.
#
# WARNING: A maximum size smaller than the size of squid's error messages
# will cause an infinite loop and crash squid. Ensure that the smallest
# non-zero value you use is greater that the maximum header size plus
# the size of your largest error page.
#
# If you set this parameter none (the default), there will be
# no limit imposed.
#
#Default:
# none
# NETWORK OPTIONS
# -----------------------------------------------------------------------------
# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
# address. This replaces the old 'tcp_incoming_address'
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# If you are running Squid in accelerator mode, you
# probably want to listen on port 80 also, or instead.
#
# The -a command line option may be used to specify additional
# port(s) where Squid listens for proxy request. Such ports will
# be plain proxy ports with no options.
#
# You may specify multiple socket addresses on multiple lines.
#
# Options:
#
# transparent Support for transparent interception of
# outgoing requests without browser settings.
#
# tproxy Support Linux TPROXY for spoofing outgoing
# connections using the client IP address.
#
# accel Accelerator mode. Also needs at least one of
# vhost / vport / defaultsite.
#
# defaultsite=domainname
# What to use for the Host: header if it is not present
# in a request. Determines what site (not origin server)
# accelerators should consider the default.
# Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Implies accel.
#
# vport Accelerator with IP based virtual host support.
# Implies accel.
#
# vport=NN As above, but uses specified port number rather
# than the http_port number. Implies accel.
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to http.
#
# disable-pmtu-discovery=
# Control Path-MTU discovery usage:
# off lets OS decide on what to do (default).
# transparent disable PMTU discovery when transparent
# support is enabled.
# always disable always PMTU discovery.
#
# In many setups of transparently intercepting proxies
# Path-MTU discovery can not work on traffic towards the
# clients. This is the case when the intercepting device
# does not fully track connections and fails to forward
# ICMP must fragment messages to the cache server. If you
# have such setup and experience that certain clients
# sporadically hang or never complete requests set
# disable-pmtu-discovery option to 'transparent'.
#
# name= Specifies a internal name for the port. Defaults to
# the port specification (port or addr:port)
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
# Squid normally listens to port 3128
http_port 3128
# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# accel Accelerator mode. Also needs at least one of
# defaultsite or vhost.
#
# defaultsite= The name of the https site presented on
# this port. Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Requires a wildcard certificate
# or other certificate valid for more than one domain.
# Implies accel.
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to https.
#
# cert= Path to SSL certificate (PEM format).
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file.
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers.
#
# options= Various SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate.
#
# cafile= File containing additional CA certificates to
# use when verifying client certificates. If unset
# clientca will be used.
#
# capath= Directory containing additional CA certificates
# and CRL lists to use when verifying client certificates.
#
# crlfile= File of additional CRL lists to use when verifying
# the client certificate, in addition to CRLs stored in
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges.
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
# Don't request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented).
# NO_DEFAULT_CA
# Don't use the default CA lists built in
# to OpenSSL.
# NO_SESSION_REUSE
# Don't allow for session reuse. Each connection
# will result in a new SSL session.
# VERIFY_CRL
# Verify CRL lists when accepting client
# certificates.
# VERIFY_CRL_ALL
# Verify CRL lists for all certificates in the
# client certificate chain.
#
# sslcontext= SSL session ID context identifier.
#
# vport Accelerator with IP based virtual host support.
#
# vport=NN As above, but uses specified port number rather
# than the https_port number. Implies accel.
#
# name= Specifies a internal name for the port. Defaults to
# the port specification (port or addr:port)
#
#
#Default:
# none
# TAG: tcp_outgoing_tos
# Allows you to select a TOS/Diffserv value to mark outgoing
# connections with, based on the username or source address
# making the request.
#
# tcp_outgoing_tos ds-field [!]aclname ...
#
# Example where normal_service_net uses the TOS value 0x00
# and normal_service_net uses 0x20
#
# acl normal_service_net src 10.0.0.0/255.255.255.0
# acl good_service_net src 10.0.1.0/255.255.255.0
# tcp_outgoing_tos 0x00 normal_service_net
# tcp_outgoing_tos 0x20 good_service_net
#
# TOS/DSCP values really only have local significance - so you should
# know what you're specifying. For more information, see RFC2474 and
# RFC3260.
#
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
# "default" to use whatever default your host has. Note that in
# practice often only values 0 - 63 is usable as the two highest bits
# have been redefined for use by ECN (RFC3168).
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persisten_connections
# to off when using this directive in such configurations.
#
#Default:
# none
# TAG: clientside_tos
# Allows you to select a TOS/Diffserv value to mark client-side
# connections with, based on the username or source address
# making the request.
#
#Default:
# none
# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or source address of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
# Example where requests from 10.0.0.0/24 will be forwarded
# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
# source address 10.1.0.2 and the rest will be forwarded with
# source address 10.1.0.3.
#
# acl normal_service_net src 10.0.0.0/24
# acl good_service_net src 10.0.2.0/24
# tcp_outgoing_address 10.1.0.1 normal_service_net
# tcp_outgoing_address 10.1.0.2 good_service_net
# tcp_outgoing_address 10.1.0.3
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persistent_connections
# to off when using this directive in such configurations.
#
#Default:
# none
# SSL OPTIONS
# -----------------------------------------------------------------------------
# TAG: ssl_unclean_shutdown
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
#
#Default:
# ssl_unclean_shutdown off
# TAG: ssl_engine
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
#
#Default:
# none
# TAG: sslproxy_client_certificate
# Client SSL Certificate to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_client_key
# Client SSL Key to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_version
# SSL version level to use when proxying https:// URLs
#
#Default:
# sslproxy_version 1
# TAG: sslproxy_options
# SSL engine options to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_cipher
# SSL cipher list to use when proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
#
#Default:
# none
# TAG: sslproxy_flags
# Various flags modifying the use of SSL while proxying https:// URLs:
# DONT_VERIFY_PEER Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA Don't use the default CA list built in
# to OpenSSL.
#
#Default:
# none
# TAG: sslpassword_program
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
#
#Default:
# none
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# cache_peer hostname type http-port icp-port [options]
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 proxy-only default
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy-port: The port number where the cache listens for proxy
# requests.
#
# icp-port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
# NOTE: Also requires icp_port option enabled to send/receive
# requests via this method.
#
# options: proxy-only
# weight=n
# basetime=n
# ttl=n
# no-query
# background-ping
# default
# round-robin
# weighted-round-robin
# carp
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user:password | PASS | *:password
# connect-timeout=nn
# digest-url=url
# allow-miss
# max-conn=n
# htcp
# htcp-oldsquid
# originserver
# name=xxx
# forceddomain=name
# ssl
# sslcert=/path/to/ssl/certificate
# sslkey=/path/to/ssl/key
# sslversion=1|2|3|4
# sslcipher=...
# ssloptions=...
# front-end-https[=on|auto]
#
# use 'proxy-only' to specify objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to affect the selection of a peer
# during any weighted peer-selection mechanisms.
# The weight must be an integer; default is 1,
# larger weights are favored more.
# This option does not affect parent selection if a peering
# protocol is not in use.
#
# use 'basetime=n' to specify a base amount to
# be subtracted from round trip times of parents.
# It is subtracted before division by weight in calculating
# which parent to fectch from. If the rtt is less than the
# base time the rtt is set to a minimal value.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP queries to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'background-ping' to only send ICP queries to this
# neighbor infrequently. This is used to keep the neighbor
# round trip time updated and is usually used in
# conjunction with weighted-round-robin.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort" if a peer cannot be located
# by any of the peer-selection mechanisms.
# If specified more than once, only the first is used.
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# use 'weighted-round-robin' to define a set of parents
# which should be used in a round-robin fashion with the
# frequency of each parent being based on the round trip
# time. Closer parents are used more often.
# Usually used for background-ping parents.
#
# use 'carp' to define a set of parents which should
# be used as a CARP array. The requests will be
# distributed among the parents based on the CARP load
# balancing hash function based on their weight.
#
# 'multicast-responder' indicates the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# 'closest-only' indicates that, for ICP_OP_MISS
# replies, we'll only forward CLOSEST_PARENT_MISSes
# and never FIRST_PARENT_MISSes.
#
# use 'no-digest' to NOT request cache digests from
# this neighbor.
#
# 'no-netdb-exchange' disables requesting ICMP
# RTT database (NetDB) from the neighbor.
#
# use 'no-delay' to prevent access to this neighbor
# from influencing the delay pools.
#
# use 'login=user:password' if this is a personal/workgroup
# proxy and your parent requires proxy authentication.
# Note: The string can include URL escapes (i.e. %20 for
# spaces). This also means % must be written as %%.
#
# use 'login=PASS' if users must authenticate against
# the upstream proxy or in the case of a reverse proxy
# configuration, the origin web server. This will pass
# the users credentials as they are to the peer.
# This only works for the Basic HTTP authentication scheme.
# Note: To combine this with proxy_auth both proxies must
# share the same user database as HTTP only allows for
# a single login (one for proxy, one for origin server).
# Also be warned this will expose your users proxy
# password to the peer. USE WITH CAUTION
#
# use 'login=*:password' to pass the username to the
# upstream cache, but with a fixed password. This is meant
# to be used when the peer is in another administrative
# domain, but it is still needed to identify each user.
# The star can optionally be followed by some extra
# information which is added to the username. This can
# be used to identify this proxy to the peer, similar to
# the login=username:password option above.
#
# use 'connect-timeout=nn' to specify a peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' to tell Squid to fetch the cache
# digest (if digests are enabled) for this host from
# the specified URL rather than the Squid default
# location.
#
# use 'allow-miss' to disable Squid's use of only-if-cached
# when forwarding requests to siblings. This is primarily
# useful when icp_hit_stale is used by the sibling. To
# extensive use of this option may result in forwarding
# loops, and you should avoid having two-way peerings
# with this option. (for example to deny peer usage on
# requests from peer by denying cache_peer_access if the
# source is a peer)
#
# use 'max-conn=n' to limit the amount of connections Squid
# may open to this peer.
#
# use 'htcp' to send HTCP, instead of ICP, queries
# to the neighbor. You probably also want to