Skip to main content

Thread: My Squid does not work:Requested URL can't be retrieved

-

hello,people! have installed squid on ubuntu server.my server in data center,and want access server openvpn can use squid in server.but got problem this,and have tried use "* allow " option make work.but still not work.
give me help,please!thank !
error

requested url not retrieved


here configure file:


# welcome squid 2.7.stable7
# ----------------------------
#
# default squid configuration file. may wish
# @ squid home page (http://www.squid-cache.org/)
# faq , other documentation.
#
# default squid config file shows defaults for
# various options happen be. if don't need change the
# default, shouldn't uncomment line. doing may cause
# run-time problems. in cases "none" refers no default
# setting @ all, while in other cases refers valid
# option - comments keyword indicate if the
# case.
#


# configuration options can included using "include" directive.
# include takes list of files include. quoting , wildcards is
# supported.
#
# example,
#
# include /path/to/included/file/squid.acl.config
#
# includes can nested hard-coded depth of 16 levels.
# arbitrary restriction prevent recursive include references
# causing squid entering infinite loop whilst trying load
# configuration files.


# options authentication
# -----------------------------------------------------------------------------

# tag: auth_param
# used define parameters various authentication
# schemes supported squid.
#
# format: auth_param scheme parameter [setting]
#
# order in authentication schemes presented client is
# dependent on order scheme first appears in config file. ie
# has bug (it's not rfc 2617 compliant) in use basic
# scheme if basic first entry presented, if more secure
# schemes presented. use order in recommended
# settings section below. if other browsers have difficulties (don't
# recognize schemes offered if using basic) either
# put basic first, or disable other schemes (by commenting out their
# program entry).
#
# once authentication scheme configured, can be
# shutdown shutting squid down , restarting. changes can made on
# fly , activated reconfigure. i.e. can change a
# different helper, not unconfigure helper completely.
#
# please note while directive defines how squid processes
# authentication not automatically activate authentication.
# use authentication must in addition make use of acls based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external %login used in format tag). browser be
# challenged authentication on first such acl encountered
# in http_access processing , re-challenged new
# login credentials if request being denied proxy_auth
# type acl.
#
# warning: authentication can't used in transparently intercepting
# proxy client thinks talking origin server and
# not proxy. limitation of bending tcp/ip protocol to
# transparently intercepting port 80, not limitation in squid.
#
# === parameters basic scheme follow. ===
#
# "program" cmdline
# specify command external authenticator. such program
# reads line containing "username password" , replies "ok" or
# "err" in endless loop. "err" responses may optionally followed
# error description available %m in returned error page.
#
# default, basic authentication scheme not used unless a
# program specified.
#
# if want use traditional proxy authentication, jump on to
# helpers/basic_auth/ncsa directory , type:
# % make
# % make install
#
# then, set line like
#
# auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
#
# "children" numberofchildren
# number of authenticator processes spawn. if start few
# squid have wait them process backlog of credential
# verifications, slowing down. when credential verifications are
# done via (slow) network need lots of
# authenticator processes.
# auth_param basic children 5
#
# "concurrency" numberofconcurrentrequests
# number of concurrent requests/channels helper supports.
# changes protocol used include channel number first on
# request/response line, allowing multiple requests sent
# same helper in parallell without wating response.
# must not set unless it's known helper supports this.
#
# "realm" realmstring
# specifies realm name reported client for
# basic proxy authentication scheme (part of text user
# see when prompted username , password).
# auth_param basic realm squid proxy-caching web server
#
# "credentialsttl" timetolive
# specifies how long squid assumes externally validated
# usernameassword pair valid - in other words how the
# helper program called user. set low force
# revalidation short lived passwords. note setting high
# not impact susceptibility replay attacks unless are
# using one-time password system (such secureid). if using
# such system, vulnerable replay attacks unless you
# use max_user_ip acl in http_access rule.
# auth_param basic credentialsttl 2 hours
#
# "casesensitive" on|off
# specifies if usernames case sensitive. user databases are
# case insensitive allowing same username spelled using both
# lower , upper case letters, case sensitive. this
# makes big difference user_max_ip acl processing , similar.
# auth_param basic casesensitive off
#
# "blankpassword" on|off
# specifies if blank passwords should supported. defaults off
# there multiple authentication backends handles blank
# passwords "guest" access.
#
# === parameters digest scheme follow ===
#
# "program" cmdline
# specify command external authenticator. such program
# reads line containing "username":"realm" , replies the
# appropriate h(a1) value hex encoded or err if user (or h(a1)
# hash) not exists. see rfc 2616 definition of h(a1).
# "err" responses may optionally followed error description
# available %m in returned error page.
#
# default, digest authentication scheme not used unless a
# program specified.
#
# if want use digest authenticator, jump on the
# helpers/digest_auth/ directory , choose authenticator use.
# it's directory type
# % make
# % make install
#
# then, set line like
#
# auth_param digest program /usr/lib/squid/digest_auth_pw /usr/etc/digpass
#
# "children" numberofchildren
# number of authenticator processes spawn. if start few
# squid have wait them process backlog of credential
# verifications, slowing down. when credential verifications are
# done via (slow) network need lots of
# authenticator processes.
# auth_param digest children 5
#
# "concurrency" numberofconcurrentrequests
# number of concurrent requests/channels helper supports.
# changes protocol used include channel number first on
# request/response line, allowing multiple requests sent
# same helper in parallell without wating response.
# must not set unless it's known helper supports this.
#
# "realm" realmstring
# specifies realm name reported client the
# digest proxy authentication scheme (part of text user see
# when prompted username , password).
# auth_param digest realm squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# specifies interval nonces have been issued clients are
# checked validity.
# auth_param digest nonce_garbage_interval 5 minutes
#
# "nonce_max_duration" timeinterval
# specifies maximum length of time given nonce valid for.
# auth_param digest nonce_max_duration 30 minutes
#
# "nonce_max_count" number
# specifies maximum number of times given nonce can used.
# auth_param digest nonce_max_count 50
#
# "nonce_strictness" on|off
# determines if squid requires strict increment-by-1 behavior nonce
# counts, or incrementing (off - use when useragents generate
# nonce counts miss 1 (ie, 1,2,4,6)).
# auth_param digest nonce_strictness off
#
# "check_nonce_count" on|off
# directive if set off can disable nonce count check
# work around buggy digest qop implementations in certain
# mainstream browser versions. default on check nonce count to
# protect authentication replay attacks.
# auth_param digest check_nonce_count on
#
# "post_workaround" on|off
# workaround buggy browsers sends incorrect
# request digest in post requests when reusing same nonce acquired
# earlier in response request.
# auth_param digest post_workaround off
#
# === ntlm scheme options follow ===
#
# "program" cmdline
# specify command external ntlm authenticator. such a
# program participates in ntlmssp exchanges between squid , the
# client , reads commands according squid ntlmssp helper
# protocol. see helpers/ntlm_auth/ details. recommended ntlm
# authenticator ntlm_auth samba-3.x, number of other
# ntlm authenticators available.
#
# default, ntlm authentication scheme not used unless a
# program specified.
#
# auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#
# "children" numberofchildren
# number of authenticator processes spawn. if start few
# squid have wait them process backlog of credential
# verifications, slowing down. when credential verifications are
# done via (slow) network need lots of
# authenticator processes.
# auth_param ntlm children 5
#
# "keep_alive" on|off
# option enables use of keep-alive on initial
# authentication request. has been reported versions of msie
# have problems if enabled, performance increased
# if enabled.
#
# auth_param ntlm keep_alive on
#
# === negotiate scheme options follow ===
#
# "program" cmdline
# specify command external negotiate authenticator. such a
# program participates in spnego exchanges between squid , the
# client , reads commands according squid ntlmssp helper
# protocol. see helpers/ntlm_auth/ details. recommended spnego
# authenticator ntlm_auth samba-4.x.
#
# default, negotiate authentication scheme not used unless a
# program specified.
#
# auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
#
# "children" numberofchildren
# number of authenticator processes spawn. if start few
# squid have wait them process backlog of credential
# verifications, slowing down. when credential verifications are
# done via (slow) network need lots of
# authenticator processes.
# auth_param negotiate children 5
#
# "keep_alive" on|off
# if experience problems put/post requests when using the
# negotiate authentication scheme can try setting to
# off. cause squid forcibly close connection on
# initial requests browser asks schemes are
# supported proxy.
#
# auth_param negotiate keep_alive on
#
#recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment , complete line activate>
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program <uncomment , complete line activate>
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program <uncomment , complete line>
#auth_param digest children 5
#auth_param digest realm squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment , complete line>
#auth_param basic children 5
#auth_param basic realm squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

# tag: authenticate_cache_garbage_interval
# time period between garbage collection across username cache.
# tradeoff between memory utilization (long intervals - say
# 2 days) , cpu (short intervals - 1 minute). change if you
# have reason to.
#
#default:
# authenticate_cache_garbage_interval 1 hour

# tag: authenticate_ttl
# time user & credentials stay in logged in user cache
# since last request. when garbage interval passes, user
# credentials have passed ttl removed memory.
#
#default:
# authenticate_ttl 1 hour

# tag: authenticate_ip_ttl
# if use proxy authentication , 'max_user_ip' acl, this
# directive controls how long squid remembers ip addresses
# associated each user. use small value (e.g., 60 seconds) if
# users might change addresses quickly, case with
# dialups. might safe using larger value (e.g., 2 hours) in a
# corporate lan environment relatively static address assignments.
#
#default:
# authenticate_ip_ttl 0 seconds

# tag: authenticate_ip_shortcircuit_ttl
# cache authentication credentials per client ip address this
# long. default 0 seconds (disabled).
#
# see authenticate_ip_shortcircuit_access directive.
#
#default:
# authenticate_ip_shortcircuit_ttl 0 seconds


# access controls
# -----------------------------------------------------------------------------

# tag: external_acl_type
# option defines external acl classes using helper program to
# status
#
# external_acl_type name [options] format.. /path/to/helper [helper arguments..]
#
# options:
#
# ttl=n ttl in seconds cached results (defaults 3600
# 1 hour)
# negative_ttl=n
# ttl cached negative lookups (default same
# ttl)
# children=n number of processes spawn service external acl
# lookups of type. (default 5).
# concurrency=n concurrency level per process. used helpers
# capable of processing more 1 query @ time.
# note: see compatibility note below
# cache=n result cache size, 0 unbounded (default)
# grace= percentage remaining of ttl refresh of a
# cached entry should initiated without needing to
# wait new reply. (default 0 no grace period)
# protocol=2.5 compatibility mode squid-2.5 external acl helpers
#
# format specifications
#
# %login authenticated user login name
# %ext_user username external acl
# %ident ident user name
# %src client ip
# %srcport client source port
# %uri requested uri
# %dst requested host
# %proto requested protocol
# %port requested port
# %method request method
# %myaddr squid interface address
# %myport squid http_port number
# %path requested url-path (including query-string if any)
# %user_cert ssl user certificate in pem format
# %user_certchain ssl user certificate chain in pem format
# %user_cert_xx ssl user certificate subject attribute xx
# %user_ca_xx ssl user certificate issuer attribute xx
# %{header} http request header "header"
# %{hdr:member} http request header "hdr" list member "member"
# %{hdr:;member}
# http request header list member using ; as
# list separator. ; can non-alphanumeric
# character.
# %acl acl name
# %data acl arguments. if not used arguments
# automatically added @ end
#
# in addition above, string specified in referencing
# acl included in helper request line, after the
# specified formats (see "acl external" directive)
#
# helper receives lines per above format specification,
# , returns lines starting ok or err indicating validity
# of request , optionally followed additional keywords with
# more details.
#
# general result syntax:
#
# ok/err keyword=value ...
#
# defined keywords:
#
# user= users name (login understood)
# password= users password (for proxypass login= cache_peer)
# message= error message or similar used %o in error messages
# (error understood)
# log= string logged in access.log. available as
# %ea in logformat specifications
#
# if protocol=3.0 (the default) url escaping used protect
# each value in both requests , responses.
#
# if using protocol=2.5 values need enclosed in quotes
# if may contain whitespace, or whitespace escaped using \.
# , quotes or \ characters within keyword value must \ escaped.
#
# when using concurrency= option protocol changed by
# introducing query channel tag infront of request/response.
# query channel tag number between 0 , concurrency-1.
#
# compatibility note: children= option named concurrency= in
# squid-2.5.stable3 , earlier, , accepted alias the
# duration of squid-2.5 releases keep compatibility. however,
# meaning of concurrency= option has changed in squid-2.6 match
# of squid-3 , old syntax no longer works.
#
#default:
# none

# tag: acl
# defining access list
#
# every access list definition must begin aclname , acltype,
# followed either type-specific arguments or quoted filename that
# read from.
#
# acl aclname acltype argument ...
# acl aclname acltype "file" ...
#
# when using "file", file should contain 1 item per line.
#
# default, regular expressions case-sensitive. make
# them case-insensitive, use -i option.
#
# acl aclname src ip-address/netmask ... (clients ip address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (url host's ip address)
# acl aclname myip ip-address/netmask ... (local socket ip address)
#
# acl aclname arp mac-address ... (xxxxxxx notation)
# # arp acl requires special configure option --enable-arp-acl.
# # furthermore, arp acl code not portable operating systems.
# # works on linux, solaris, freebsd , other *bsd variants.
# #
# # note: squid can determine mac address clients on
# # same subnet. if client on different subnet, squid cannot
# # find out mac address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client ip
# acl aclname dstdomain .foo.com ... # destination server url
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # dstdomain , dstdom_regex reverse lookup tried if ip
# # based url used , no match found. name "none" used
# # if reverse lookup fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# # day-abbrevs:
# # s - sunday
# # m - monday
# # t - tuesday
# # w - wednesday
# # h - thursday
# # f - friday
# # - saturday
# # h1:m1 must less h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole url
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on url path
# acl aclname urllogin [-i] [^a-za-z0-9] ... # regex matching on url login field
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket tcp port)
# acl aclname myportname 3128 ... # http(s)_port name
# acl aclname proto http ftp ...
# acl aclname method post ...
# acl aclname browser [-i] regexp ...
# # pattern match on user-agent header (see req_header below)
# acl aclname referer_regex [-i] regexp ...
# # pattern match on referer header
# # referer highly unreliable, use care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use required accept non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # except access control, numbers can used for
# # routing of requests specific caches. here's an
# # example routing requests as#1241 , only
# # mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use required accept valid username.
# #
# # note: when proxy-authentication header sent not
# # needed during acl checking username not logged
# # in access.log.
# #
# # note: proxy_auth requires external authentication program
# # check username/password combinations (see
# # auth_param directive).
# #
# # note: proxy_auth can't used in transparent proxy as
# # browser needs configured using proxy in order
# # respond proxy authentication.
#
# acl aclname snmp_community string ...
# # community string limit access snmp agent
# # example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # matched when client's ip address has
# # more <number> http connections established.
#
# acl aclname max_user_ip [-s] number
# # matched when user attempts log in more
# # <number> different ip addresses. authenticate_ip_ttl
# # parameter controls timeout on ip entries.
# # if -s specified limit strict, denying browsing
# # further ip addresses until ttl has expired. without
# # -s squid annoy user "randomly" denying requests.
# # (the counter reset each time limit reached , a
# # request denied)
# # note: in acceleration mode or there mesh of child proxies,
# # clients may appear come multiple addresses if are
# # going through proxy farms, limit of 1 may cause user problems.
#
# acl aclname req_mime_type mime-type ...
# # regex match against mime type of request generated
# # client. can used detect file upload or some
# # types http tunneling requests.
# # note: not match reply. cannot use this
# # match returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against of known request headers. may be
# # thought of superset of "browser", "referer" , "mime-type"
# # acls.
#
# acl aclname rep_mime_type mime-type ...
# # regex match against mime type of reply received by
# # squid. can used detect file download or some
# # types http tunneling requests.
# # note: has no effect in http_access rules. has
# # effect in rules affect reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against of known reply headers. may be
# # thought of superset of "browser", "referer" , "mime-type"
# # acls.
# #
# # example:
# #
# # acl many_spaces rep_header content-disposition -i [[:space:]]{3,}
#
# acl aclname external class_name [arguments...]
# # external acl lookup via helper class defined the
# # external_acl_type directive.
#
# acl aclname urlgroup group1 ...
# # match against urlgroup indicated redirectors
#
# acl aclname user_cert attribute values...
# # match against attributes in user ssl certificate
# # attribute 1 of dn/c/o/cn/l/st
#
# acl aclname ca_cert attribute values...
# # match against attributes users issuing ca ssl certificate
# # attribute 1 of dn/c/o/cn/l/st
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned external acl helper
# # use required accept non-null user name.
#
#examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth required
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#recommended minimum configuration:
acl src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
#
# example rule allowing access local networks.
# adapt list (internal) ip networks browsing
# should allowed
acl localnet src 10.8.0.0/24 # rfc1918 possible internal network
acl localnet src 172.16.0.0/12 # rfc1918 possible internal network
acl localnet src 192.168.0.0/16 # rfc1918 possible internal network
#
acl ssl_ports port 443 # https
acl ssl_ports port 563 # snews
acl ssl_ports port 873 # rsync
acl safe_ports port 80 # http
acl safe_ports port 21 # ftp
acl safe_ports port 443 # https
acl safe_ports port 70 # gopher
acl safe_ports port 210 # wais
acl safe_ports port 1025-65535 # unregistered ports
acl safe_ports port 280 # http-mgmt
acl safe_ports port 488 # gss-http
acl safe_ports port 591 # filemaker
acl safe_ports port 777 # multiling http
acl safe_ports port 631 # cups
acl safe_ports port 873 # rsync
acl safe_ports port 901 # swat
acl purge method purge
acl connect method connect

# tag: http_access
# allowing or denying access based on defined access lists
#
# access http port:
# http_access allow|deny [!]aclname ...
#
# note on default values:
#
# if there no "access" lines present, default deny
# request.
#
# if none of "access" lines cause match, default the
# opposite of last line in list. if last line was
# deny, default allow. conversely, if last line
# allow, default deny. these reasons, a
# idea have "deny all" or "allow all" entry @ end
# of access lists avoid potential confusion.
#
#default:
# http_access deny all
#
#recommended minimum configuration:
#
# allow cachemgr access localhost
http_access allow manager localhost
http_access deny manager
# allow purge requests localhost
http_access allow purge localhost
http_access deny purge
# deny requests unknown ports
http_access deny !safe_ports
# deny connect other ssl ports
http_access deny connect !ssl_ports
#
# recommend following uncommented protect innocent
# web applications running on proxy server think only
# 1 can access services on "localhost" local user
#http_access deny to_localhost
#
# insert own rule(s) here allow access clients

# example rule allowing access local networks.
# adapt localnet in acl section list (internal) ip networks
# browsing should allowed
#http_access allow localnet
http_access allow localnet

# , deny other access proxy
http_access deny all

# tag: http_access2
# allowing or denying access based on defined access lists
#
# identical http_access, runs after redirectors. if not set
# http_access used.
#
#default:
# none

# tag: http_reply_access
# allow replies client requests. complementary http_access.
#
# http_reply_access allow|deny [!] aclname ...
#
# note: if there no access lines present, default allow
# replies
#
# if none of access lines cause match opposite of the
# last line apply. practice end rules
# "allow all" or "deny all" entry.
#
#default:
# http_reply_access allow all

# tag: icp_access
# allowing or denying access icp port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# see http_access details
#
#default:
# icp_access deny all
#
#allow icp queries local networks only
icp_access allow localnet
icp_access deny all

# tag: htcp_access
# allowing or denying access htcp port based on defined
# access lists
#
# htcp_access allow|deny [!]aclname ...
#
# see http_access details
#
# note: default if no htcp_access lines present to
# deny traffic. default may cause problems peers
# using htcp or htcp-oldsquid options.
#
#default:
# htcp_access deny all
#
#allow htcp queries local networks only
# htcp_access allow localnet
# htcp_access deny all

# tag: htcp_clr_access
# allowing or denying access purge content using htcp based
# on defined access lists
#
# htcp_clr_access allow|deny [!]aclname ...
#
# see http_access details
#
##allow htcp clr requests trusted peers
#acl htcp_clr_peer src 172.16.1.2
#htcp_clr_access allow htcp_clr_peer
#
#default:
# htcp_clr_access deny all

# tag: miss_access
# use force neighbors use sibling instead of
# parent. example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# means local clients allowed fetch
# misses , other clients can fetch hits.
#
# default, allow clients passed http_access rules
# fetch misses us.
#
#default setting:
# miss_access allow all

# tag: ident_lookup_access
# list of acl elements which, if matched, cause ident
# (rfc931) lookup performed request. for
# example, might choose perform ident lookups
# main multi-user unix boxes, not macs
# , pcs. default, ident lookups not performed for
# requests.
#
# enable ident lookups specific client addresses, you
# can follow example:
#
# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
# ident_lookup_access allow ident_aware_hosts
# ident_lookup_access deny all
#
# src type acl checks supported. src_domain
# acl might work @ times, not provide
# correct result.
#
#default:
# ident_lookup_access deny all

# tag: reply_body_max_size bytes allow|deny acl acl...
# option specifies maximum size of reply body in bytes.
# can used prevent users downloading large files,
# such mp3's , movies. when reply headers received,
# reply_body_max_size lines processed, , first line with
# result of "allow" used maximum body size reply.
# size checked twice. first when reply headers,
# check content-length value. if content length value exists
# , larger allowed size, request denied , the
# user receives error message says "the request or reply
# large." if there no content-length, , reply
# size exceeds limit, client's connection closed
# , receive partial reply.
#
# warning: downstream caches can not detect partial reply
# if there no content-length header, cache
# partial responses , give them out hits. should not
# use option if have downstream caches.
#
# if set parameter 0 (the default), there be
# no limit imposed.
#
#default:
# reply_body_max_size 0 allow all

# tag: authenticate_ip_shortcircuit_access
# access list determining when shortcicuiting authentication process
# based on source ip cached credentials acceptable. use deny
# using ip auth cache on requests child proxies or other source
# ip's having multiple users.
#
# see authenticate_ip_shortcircuit_ttl directive
#
#default:
# none


# options x-forwarded-for
# -----------------------------------------------------------------------------

# tag: follow_x_forwarded_for
# allowing or denying x-forwarded-for header followed to
# find original source of request.
#
# requests may pass through chain of several other proxies
# before reaching us. x-forwarded-for header contain a
# comma-separated list of ip addresses in chain, the
# rightmost address being recent.
#
# if request reaches source allowed this
# configuration item, consult x-forwarded-for header
# see host received request from. if the
# x-forwarded-for header contains multiple addresses, , if
# acl_uses_indirect_client on, continue backtracking
# until reach address not allowed to
# follow x-forwarded-for header, or until reach first
# address in list. (if acl_uses_indirect_client off, then
# it's impossible backtrack through more 1 level of
# x-forwarded-for addresses.)
#
# end result of process ip address will
# refer indirect client address. address may
# treated client address access control, delay
# pools , logging, depending on acl_uses_indirect_client,
# delay_pool_uses_indirect_client , log_uses_indirect_client
# options.
#
# security considerations:
#
# host follow x-forwarded-for header
# can place incorrect information in header, , squid
# use incorrect information if the
# source address of request. may enable remote
# hosts bypass access control restrictions are
# based on client's source addresses.
#
# example:
#
# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
#default:
# follow_x_forwarded_for deny all

# tag: acl_uses_indirect_client on|off
# controls whether indirect client address
# (see follow_x_forwarded_for) used instead of the
# direct client address in acl matching.
#
#default:
# acl_uses_indirect_client on

# tag: delay_pool_uses_indirect_client on|off
# controls whether indirect client address
# (see follow_x_forwarded_for) used instead of the
# direct client address in delay pools.
#
#default:
# delay_pool_uses_indirect_client on

# tag: log_uses_indirect_client on|off
# controls whether indirect client address
# (see follow_x_forwarded_for) used instead of the
# direct client address in access log.
#
#default:
# log_uses_indirect_client on


# ssl options
# -----------------------------------------------------------------------------

# tag: ssl_unclean_shutdown
# note: option available if squid rebuilt the
# --enable-ssl option
#
# browsers (especially msie) bugs out on ssl shutdown
# messages.
#
#default:
# ssl_unclean_shutdown off

# tag: ssl_engine
# note: option available if squid rebuilt the
# --enable-ssl option
#
# openssl engine use. need set if you
# use hardware ssl acceleration example.
#
#default:
# none

# tag: sslproxy_client_certificate
# note: option available if squid rebuilt the
# --enable-ssl option
#
# client ssl certificate use when proxying https:// urls
#
#default:
# none

# tag: sslproxy_client_key
# note: option available if squid rebuilt the
# --enable-ssl option
#
# client ssl key use when proxying https:// urls
#
#default:
# none

# tag: sslproxy_version
# note: option available if squid rebuilt the
# --enable-ssl option
#
# ssl version level use when proxying https:// urls
#
#default:
# sslproxy_version 1

# tag: sslproxy_options
# note: option available if squid rebuilt the
# --enable-ssl option
#
# ssl engine options use when proxying https:// urls
#
#default:
# none

# tag: sslproxy_cipher
# note: option available if squid rebuilt the
# --enable-ssl option
#
# ssl cipher list use when proxying https:// urls
#
#default:
# none

# tag: sslproxy_cafile
# note: option available if squid rebuilt the
# --enable-ssl option
#
# file containing ca certificates use when verifying server
# certificates while proxying https:// urls
#
#default:
# none

# tag: sslproxy_capath
# note: option available if squid rebuilt the
# --enable-ssl option
#
# directory containing ca certificates use when verifying
# server certificates while proxying https:// urls
#
#default:
# none

# tag: sslproxy_flags
# note: option available if squid rebuilt the
# --enable-ssl option
#
# various flags modifying use of ssl while proxying https:// urls:
# dont_verify_peer accept certificates if fail to
# verify.
# no_default_ca don't use default ca list built in
# openssl.
#
#default:
# none

# tag: sslpassword_program
# note: option available if squid rebuilt the
# --enable-ssl option
#
# specify program used entering ssl key passphrases
# when using encrypted ssl certificate keys. if not specified
# keys must either unencrypted, or squid started -n
# option allow query interactively passphrase.
#
#default:
# none


# network options
# -----------------------------------------------------------------------------

# tag: http_port
# usage: port [options]
# hostnameort [options]
# 1.2.3.4ort [options]
#
# socket addresses squid listen http client
# requests. may specify multiple socket addresses.
# there 3 forms: port alone, hostname port, and
# ip address port. if specify hostname or ip
# address, squid binds socket specific
# address. replaces old 'tcp_incoming_address'
# option. likely, not need bind specific
# address, can use port number alone.
#
# if running squid in accelerator mode, you
# want listen on port 80 also, or instead.
#
# -i command line option override *first* port
# specified here.
#
# may specify multiple socket addresses on multiple lines.
#
# options:
#
# transparent support transparent interception of
# outgoing requests without browser settings.
#
# tproxy support linux tproxy spoofing outgoing
# connections using client ip address.
#
# accel accelerator mode. see related vhost,
# vport , defaultsite directives.
#
# defaultsite=domainname
# use host: header if not present
# in request. determines site (not origin server)
# accelerators should consider default.
# defaults visible_hostnameort if not set
# may combined vport=nn override port number.
# implies accel.
#
# vhost accelerator mode using host header virtual
# domain support. implies accel.
#
# vport accelerator ip based virtual host support.
# implies accel.
#
# vport=nn above, uses specified port number rather
# http_port number. implies accel.
#
# allow-direct allow direct forwarding in accelerator mode. normally
# accelerated requests denied direct forwarding it
# never_direct used.
#
# urlgroup= default urlgroup mark requests (see
# acl urlgroup , url_rewrite_program)
#
# protocol= protocol reconstruct accelerated requests with.
# defaults http.
#
# no-connection-auth
# prevent forwarding of microsoft connection oriented
# authentication (ntlm, negotiate , kerberos)
#
# act-as-origin
# act if squid origin server.
# means generate own date: and
# expires: headers. implies accel.
#
# http11 enables http/1.1 support clients. http/1.1
# support still incomplete internal http/1.0
# hop, should work clients. main
# http/1.1 features missing due forwarding
# of requests using chunked transfer encoding (results
# in 411) , forwarding of 1xx responses (silently
# dropped)
#
# name= specifies internal name port. defaults to
# port specification (port or addrort)
#
# tcpkeepalive[=idle,interval,timeout]
# enable tcp keepalive probes of idle connections
# idle initial time before tcp starts probing
# connection, interval how probe, and
# timeout time before giving up.
#
# if run squid on dual-homed machine internal
# , external interface recommend specify the
# internal addressort in http_port. way squid be
# visible on internal address.
#
# squid listens port 3128
http_port 10.8.0.1:3128

# tag: https_port
# note: option available if squid rebuilt the
# --enable-ssl option
#
# usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
# socket address squid listen https client
# requests.
#
# useful situations running
# squid in accelerator mode , want ssl work @ the
# accelerator level.
#
# may specify multiple socket addresses on multiple lines,
# each own ssl certificate and/or options.
#
# options:
#
# in addition options specified http_port folling
# ssl related options supported:
#
# cert= path ssl certificate (pem format).
#
# key= path ssl private key file (pem format)
# if not specified, certificate file is
# assumed combined certificate and
# key file.
#
# version= version of ssl/tls supported
# 1 automatic (default)
# 2 sslv2 only
# 3 sslv3 only
# 4 tlsv1 only
#
# cipher= colon separated list of supported ciphers.
#
# options= various ssl engine options. important
# being:
# no_sslv2 disallow use of sslv2
# no_sslv3 disallow use of sslv3
# no_tlsv1 disallow use of tlsv1
# single_dh_use create new key when using
# temporary/ephemeral dh key exchanges
# see src/ssl_support.c or openssl ssl_ctx_set_options
# documentation complete list of options.
#
# clientca= file containing list of cas use when
# requesting client certificate.
#
# cafile= file containing additional ca certificates to
# use when verifying client certificates. if unset
# clientca used.
#
# capath= directory containing additional ca certificates
# , crl lists use when verifying client certificates.
#
# crlfile= file of additional crl lists use when verifying
# client certificate, in addition crls stored in
# capath. implies verify_crl flag below.
#
# dhparams= file containing dh parameters temporary/ephemeral
# dh key exchanges.
#
# sslflags= various flags modifying use of ssl:
# delayed_auth
# don't request client certificates
# immediately, wait until acl processing
# requires certificate (not yet implemented).
# no_default_ca
# don't use default ca lists built in
# openssl.
# no_session_reuse
# don't allow session reuse. each connection
# result in new ssl session.
# verify_crl
# verify crl lists when accepting client
# certificates.
# verify_crl_all
# verify crl lists certificates in the
# client certificate chain.
#
# sslcontext= ssl session id context identifier.
#
#
#default:
# none

# tag: tcp_outgoing_tos
# allows select tos/diffserv value mark outgoing
# connections with, based on username or source address
# making request.
#
# tcp_outgoing_tos ds-field [!]aclname ...
#
# example normal_service_net uses tos value 0x00
# , good_service_net uses 0x20
#
# acl normal_service_net src 10.0.0.0/255.255.255.0
# acl good_service_net src 10.0.1.0/255.255.255.0
# tcp_outgoing_tos 0x00 normal_service_net
# tcp_outgoing_tos 0x20 good_service_net
#
# tos/dscp values have local significance - should
# know you're specifying. more information, see rfc2474 and
# rfc3260.
#
# tos/dscp byte must - octet value 0 - 255, or
# "default" use whatever default host has. note in
# practice values 0 - 63 usable 2 highest bits
# have been redefined use ecn (rfc316.
#
# processing proceeds in order specified, , stops @ first fully
# matching line.
#
# note: use of directive using client dependent acls is
# incompatible use of server side persistent connections. to
# ensure correct results best set server_persisten_connections
# off when using directive in such configurations.
#
#default:
# none

# tag: tcp_outgoing_address
# allows map requests different outgoing ip addresses
# based on username or source address of user making
# request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
# example requests 10.0.0.0/24 forwarded
# source address 10.1.0.1, 10.0.2.0/24 forwarded with
# source address 10.1.0.2 , rest forwarded with
# source address 10.1.0.3.
#
# acl normal_service_net src 10.0.0.0/24
# acl good_service_net src 10.0.1.0/24 10.0.2.0/24
# tcp_outgoing_address 10.1.0.1 normal_service_net
# tcp_outgoing_address 10.1.0.2 good_service_net
# tcp_outgoing_address 10.1.0.3
#
# processing proceeds in order specified, , stops @ first fully
# matching line.
#
# note: use of directive using client dependent acls is
# incompatible use of server side persistent connections. to
# ensure correct results best set server_persistent_connections
# off when using directive in such configurations.
#
#default:
# none

# tag: zph_mode
# option enables packet level marking of hit/miss responses,
# either using ip tos or socket priority.
# off feature disabled
# tos set ip tos/diffserv field
# priority set socket priority (may mapped tos os,
# otherwise usable in local rulesets)
# option embed mark in ip option field. see also
# zph_option.
#
# see tcp_outgoing_tos details/requirements tos usage.
#
#default:
# zph_mode off

# tag: zph_local
# allows select tos/diffserv/priority value mark local hits.
# default: 0 (disabled).
#
#default:
# zph_local 0

# tag: zph_sibling
# allows select tos/diffserv/priority value mark sibling hits.
# default: 0 (disabled).
#
#default:
# zph_sibling 0

# tag: zph_parent
# allows select tos/diffserv/priority value mark parent hits.
# default: 0 (disabled).
#
#default:
# zph_parent 0

# tag: zph_option
# ip option use when zph_mode set "option". defaults to
# 136 officially registered "satnet stream id".
#
#default:
# zph_option 136


# options affect neighbor selection algorithm
# -----------------------------------------------------------------------------

# tag: cache_peer
# specify other caches in hierarchy, use format:
#
# cache_peer hostname type http-port icp-port [options]
#
# example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 proxy-only default
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy-port: port number cache listens proxy
# requests.
#
# icp-port: used querying neighbor caches about
# objects. have non-icp neighbor
# specify '7' icp port , make sure the
# neighbor machine has udp echo port
# enabled in /etc/inetd.conf file.
# note: requires icp_port option enabled send/receive
# requests via method.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# carp
# multicast-responder
# multicast-siblings
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=userassword | pass | *assword
# connect-timeout=nn
# digest-url=url
# allow-miss
# max-conn=n
# htcp
# htcp-oldsquid
# originserver
# userhash
# sourcehash
# name=xxx
# monitorurl=url
# monitorsize=sizespec
# monitorinterval=seconds
# monitortimeout=seconds
# forceddomain=name
# ssl
# sslcert=/path/to/ssl/certificate
# sslkey=/path/to/ssl/key
# sslversion=1|2|3|4
# sslcipher=...
# ssloptions=...
# front-end-https[=on|auto]
# connection-auth[=on|off|auto]
# idle=n
# http11
#
# use 'proxy-only' specify objects fetched
# cache should not saved locally.
#
# use 'weight=n' affect selection of peer
# during weighted peer-selection mechanisms.
# weight must integer; default 1,
# larger weights favored more.
# option not affect parent selection if peering
# protocol not in use.
#
# use 'ttl=n' specify ip multicast ttl use
# when sending icp queries address.
# useful when sending multicast group.
# because don't accept icp replies random
# hosts, must configure other group members as
# peers 'multicast-responder' option below.
#
# use 'no-query' not send icp queries this
# neighbor.
#
# use 'default' if parent cache can
# used "last-resort" if peer cannot located
# of peer-selection mechanisms.
# if specified more once, first used.
#
# use 'round-robin' define set of parents which
# should used in round-robin fashion in the
# absence of icp queries.
#
# use 'carp' define set of parents should
# used carp array. requests be
# distributed among parents based on carp load
# balancing hash function based on weight.
#
# 'multicast-responder' indicates named peer
# member of multicast group. icp queries will
# not sent directly peer, icp replies
# accepted it.
#
# 'multicast-siblings' option meant used
# cache peers of type "multicast". instructs
# squid members of multicast group have
# "sibling" relationship it, not "parent". is
# optimization avoids useless multicast queries
# multicast group when requested object would
# fetched "parent" cache, anyway. it's
# useful, e.g., when configuring pool of redundant
# squid proxies, being members of same
# multicast group.
#
# 'closest-only' indicates that, icp_op_miss
# replies, we'll forward closest_parent_misses
# , never first_parent_misses.
#
# use 'no-digest' not request cache digests from
# neighbor.
#
# 'no-netdb-exchange' disables requesting icmp
# rtt database (netdb) neighbor.
#
# use 'no-delay' prevent access neighbor
# influencing delay pools.
#
# use 'login=userassword' if personal/workgroup
# proxy , parent requires proxy authentication.
# note: string can include url escapes (i.e. %20 for
# spaces). means % must written %%.
#
# use 'login=pass' if users must authenticate against
# upstream proxy or in case of reverse proxy
# configuration, origin web server. pass
# users credentials peer.
# note: combine local authentication basic
# authentication scheme must used, , both servers must
# share same user database http allows for
# single login (one proxy, 1 origin server).
# warned expose users proxy
# password peer. use caution
#
# use 'login=*assword' pass username the
# upstream cache, fixed password. meant
# used when peer in administrative
# domain, still needed identify each user.
# star can optionally followed extra
# information added username. can
# used identify proxy peer, similar to
# login=usernameassword option above.
#
# use 'connect-timeout=nn' specify peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' tell squid fetch cache
# digest (if digests enabled) host from
# specified url rather squid default
# location.
#
# use 'allow-miss' disable squid's use of only-if-cached
# when forwarding requests siblings. primarily
# useful when icp_hit_stale used sibling. to
# extensive use of option may result in forwarding
# loops, , should avoid having two-way peerings
# option. (for example deny peer usage on
# requests peer denying cache_peer_access if the
# source peer)
#
# use 'max-conn=n' limit amount of connections squid
# may open peer.
#
# use 'htcp' send htcp, instead of icp, queries
# neighbor. want to
# set "icp port" 4827 instead of 3130.
# must allow squid htcp_access and
# http_access in peer squid configuration.
#
# use 'htcp-oldsquid' send htcp old squid versions
# must allow squid htcp_access and
# http_access in peer squid configuration.
#
# 'originserver' causes parent peer contacted as
# origin server. meant used in accelerator setups.
#
# use 'userhash' load-balance amongst set of parents
# based on client proxy_auth or ident username.
#
# use 'sourcehash' load-balance amongst set of parents
# based on client source ip.
#
# use 'name=xxx' if have multiple peers on same
# host different ports. name can used to
# differentiate peers in cache_peer_access , similar
# directives.
#
# use 'monitorurl=url' have periodically request given
# url peer, , consider peer alive
# if monitoring successful (default none)
#
# use 'monitorsize=min[-max]' limit size range of
# 'monitorurl' replies considered valid. defaults 0 to
# accept size replies valid.
#
# use 'monitorinterval=seconds' change frequency of
# how peer monitored 'monitorurl'
# (default 300 5 minute interval). if set 0
# monitoring disabled if url defined.
#
# use 'monitortimeout=seconds' change timeout of
# 'monitorurl'. defaults 'monitorinterval'.
#
# use 'forceddomain=name' forcibly set host header
# of requests forwarded peer. useful in accelerator
# setups server (peer) expects domain
# name , using redirectors feed domain name
# not feasible.
#
# use 'ssl' indicate connections peer should
# ssl/tls encrypted.
#
# use 'sslcert=/path/to/ssl/certificate' specify client
# ssl certificate use when connecting peer.
#
# use 'sslkey=/path/to/ssl/key' specify private ssl
# key corresponding sslcert above. if 'sslkey' not
# specified 'sslcert' assumed reference a
# combined file containing both certificate , key.
#
# notes:
#
# on debian/ubuntu system default snakeoil certificate is
# available in /etc/ssl , users can set:
#
# cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
#
# and
#
# key=/etc/ssl/private/ssl-cert-snakeoil.key
#
# testing.
#
# use sslversion=1|2|3|4 specify ssl version use
# when connecting peer
# 1 = automatic (default)
# 2 = ssl v2 only
# 3 = ssl v3 only
# 4 = tls v1 only
#
# use sslcipher=... specify list of valid ssl ciphers
# use when connecting peer.
#
# use ssloptions=... specify various ssl engine options:
# no_sslv2 disallow use of sslv2
# no_sslv3 disallow use of sslv3
# no_tlsv1 disallow use of tlsv1
# see src/ssl_support.c or openssl documentation for
# more complete list.
#
# use sslcafile=... specify file containing
# additional ca certificates use when verifying the
# peer certificate.
#
# use sslcapath=... specify directory containing
# additional ca certificates use when verifying the
# peer certificate.
#
# use sslcrlfile=... specify certificate revocation
# list file use when verifying peer certificate.
#
# use sslflags=... specify various flags modifying the
# ssl implementation:
# dont_verify_peer
# accept certificates if fail to
# verify.
# no_default_ca
# don't use default ca list built in
# openssl.
#
# use ssldomain= specify peer name advertised
# in it's certificate. used verifying correctness
# of received peer certificate. if not specified the
# peer hostname used.
#
# use front-end-https enable "front-end-https: on"
# header needed when using squid ssl frontend in front
# of microsoft owa. see ms kb document q307347 details
# on header. if set auto header will
# added if request forwarded https://
# url.
#
# use connection-auth=off tell squid peer does
# not support microsoft connection oriented authentication,
# , such challenges received there should be
# ignored. default auto automatically determine the
# status of peer.
#
# use idle=n specify minimum number of idle connections
# should kept open peer.
#
# use http11 send requests using http/1.1 peer.
# note: http/1.1 support still incomplete, an
# internal http/1.0 hop. result 1xx responses not
# forwarded.
#
#default:
# none

# tag: cache_peer_domain
# use limit domains neighbor cache be
# queried. usage:
#
# cache_peer_domain cache-host domain [domain ...]
# cache_peer_domain cache-host !domain
#
# example, specifying
#
# cache_peer_domain parent.foo.net .edu
#
# has effect such udp query packets sent to
# 'bigserver' when requested object exists on a
# server in .edu domain. prefixing domain name
# '!' means cache queried objects
# not in domain.
#
# note: * number of domains may given cache-host,
# either on same or separate lines.
# * when multiple domains given particular
# cache-host, first matched domain applied.
# * cache hosts no domain restrictions queried
# requests.
# * there no defaults.
# * there 'cache_peer_access' tag in acl
# section.
#
#default:
# none

# tag: cache_peer_access
# similar 'cache_peer_domain' provides more flexibility by
# using acl elements.
#
# cache_peer_access cache-host allow|deny [!]aclname ...
#
# syntax identical 'http_access' , other lists of
# acl elements. see comments 'http_access' below, or
# squid faq (http://www.squid-cache.org/faq/faq-10.html).
#
#default:
# none

# tag: neighbor_type_domain
# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
#
# modifying neighbor type specific domains now
# possible. can treat domains differently the
# default neighbor type specified on 'cache_peer' line.
# should necessary list domains which
# should treated differently because default neighbor type
# applies hostnames not match domains listed here.
#
#example:
# cache_peer cache.foo.org parent 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de
#
#default:
# none

# tag: dead_peer_timeout (seconds)
# controls how long squid waits declare peer cache
# "dead." if there no icp replies received in this
# amount of time, squid declare peer dead , not
# expect receive further icp replies. however, it
# continues send icp queries, , mark peer as
# alive upon receipt of first subsequent icp reply.
#
# timeout affects when squid expects receive icp
# replies peers. if more 'dead_peer' seconds have
# passed since last icp reply received, squid not
# expect receive icp reply on next query. thus, if
# time between requests greater timeout, you
# see lot of requests sent direct origin servers
# instead of parents.
#
#default:
# dead_peer_timeout 10 seconds

# tag: hierarchy_stoplist
# list of words which, if found in url, cause object to
# handled directly cache. in other words, use this
# not query neighbor caches objects. may
# list option multiple times. note: never_direct overrides
# option.
#we recommend use @ least following line.
hierarchy_stoplist cgi-bin ?


# memory cache options
# -----------------------------------------------------------------------------

# tag: cache_mem (bytes)
# note: parameter not specify maximum process size.
# places limit on how additional memory squid will
# use memory cache of objects. squid uses memory other
# things well. see squid faq section 8 details.
#
# 'cache_mem' specifies ideal amount of memory used
# for:
# * in-transit objects
# * hot objects
# * negative-cached objects
#
# data these objects stored in 4 kb blocks. this
# parameter specifies ideal upper limit on total size of
# 4 kb blocks allocated. in-transit objects take highest
# priority.
#
# in-transit objects have priority on others. when
# additional space needed incoming data, negative-cached
# , hot objects released. in other words, the
# negative-cached , hot objects fill unused space
# not needed in-transit objects.
#
# if circumstances require, limit exceeded.
# specifically, if incoming request rate requires more than
# 'cache_mem' of memory hold in-transit objects, squid will
# exceed limit satisfy new requests. when load
# decreases, blocks freed until high-water mark is
# reached. thereafter, blocks used store hot
# objects.
#
#default:
# cache_mem 8 mb

# tag: maximum_object_size_in_memory (bytes)
# objects greater size not attempted kept in
# memory cache. should set high enough keep objects
# accessed in memory improve performance whilst low
# enough keep larger objects hoarding cache_mem.
#
#default:
# maximum_object_size_in_memory 8 kb

# tag: memory_replacement_policy
# memory replacement policy parameter determines which
# objects purged memory when memory space needed.
#
# see cache_replacement_policy details.
#
#default:
# memory_replacement_policy lru


# disk cache options
# -----------------------------------------------------------------------------

# tag: cache_replacement_policy
# cache replacement policy parameter determines which
# objects evicted (replaced) when disk space needed.
#
# lru : squid's original list based lru policy
# heap gdsf : greedy-dual size frequency
# heap lfuda: least used dynamic aging
# heap lru : lru policy implemented using heap
#
# applies cache_dir lines listed below this.
#
# lru policies keeps referenced objects.
#
# heap gdsf policy optimizes object hit rate keeping smaller
# popular objects in cache has better chance of getting a
# hit. achieves lower byte hit rate lfuda though since
# evicts larger (possibly popular) objects.
#
# heap lfuda policy keeps popular objects in cache regardless of
# size , optimizes byte hit rate @ expense of
# hit rate since 1 large, popular object prevent many
# smaller, less popular objects being cached.
#
# both policies utilize dynamic aging mechanism prevents
# cache pollution can otherwise occur frequency-based
# replacement policies.
#
# note: if using lfuda replacement policy should increase
# value of maximum_object_size above default of 4096 kb to
# maximize potential byte hit rate improvement of lfuda.
#
# more information gdsf , lfuda cache replacement
# policies see http://www.hpl.hp.com/techreports/1999/hpl-1999-69.html
# , http://fog.hpl.external.hp.com/techr...pl-98-173.html.
#
#default:
# cache_replacement_policy lru

# tag: cache_dir
# usage:
#
# cache_dir type directory-name fs-specific-data [options]
#
# can specify multiple cache_dir lines spread the
# cache among different disk partitions.
#
# type specifies kind of storage system use. "ufs"
# built default. enable of other storage systems
# see --enable-storeio configure option.
#
# 'directory' top-level directory cache swap
# files stored. if want use entire disk
# caching, can mount-point directory.
# directory must exist , writable squid
# process. squid not create directory you.
# using coss, raw disk device or stripe file can
# specified, configuration of "cache_swap_log"
# tag mandatory.
#
# ufs store type:
#
# "ufs" old well-known squid storage format has always
# been there.
#
# cache_dir ufs directory-name mbytes l1 l2 [options]
#
# 'mbytes' amount of disk space (mb) use under this
# directory. default 100 mb. change suit your
# configuration. not put size of disk drive here.
# instead, if want squid use entire disk drive,
# subtract 20% , use value.
#
# 'level-1' number of first-level subdirectories which
# created under 'directory'. default 16.
#
# 'level-2' number of second-level subdirectories which
# created under each first-level directory. default
# 256.
#
# aufs store type:
#
# "aufs" uses same storage format "ufs", utilizing
# posix-threads avoid blocking main squid process on
# disk-i/o. formerly known in squid async-io.
#
# cache_dir aufs directory-name mbytes l1 l2 [options]
#
# see argument descriptions under ufs above
#
# diskd store type:
#
# "diskd" uses same storage format "ufs", utilizing a
# separate process avoid blocking main squid process on
# disk-i/o.
#
# cache_dir diskd directory-name mbytes l1 l2 [options] [q1=n] [q2=n]
#
# see argument descriptions under ufs above
#
# q1 specifies number of unacknowledged i/o requests when squid
# stops opening new files. if many messages in queues,
# squid won't open new files. default 64
#
# q2 specifies number of unacknowledged messages when squid
# starts blocking. if many messages in queues,
# squid blocks until receives replies. default 72
#
# when q1 < q2 (the default), cache directory optimized
# lower response time @ expense of decrease in hit
# ratio. if q1 > q2, cache directory optimized for
# higher hit ratio @ expense of increase in response
# time.
#
# coss store type:
#
# block-size=n defines "block size" coss cache_dir's.
# squid uses file numbers block numbers. since file numbers
# limited 24 bits, block size determines maximum
# size of coss partition. default 512 bytes, which
# leads maximum cache_dir size of 512<<24, or 8 gb. note
# should not change coss block size after squid
# has written objects cache_dir.
#
# overwrite-percent=n defines percentage of disk coss
# must write before given object moved the
# current stripe. value of "n" closer 100 cause coss
# waste less disk space having multiple copies of object
# on disk, increase chances of overwriting popular
# object coss overwrites stripes. value of "n" close 0
# cause coss keep current objects in current coss
# stripe @ expense of hit rate. default value of 50
# allow given object stored on disk maximum of
# 2 times.
#
# max-stripe-waste=n defines maximum amount of space coss
# waste in given stripe (in bytes). when coss writes data
# disk, potentially waste "max-size" worth of disk
# space each 1mb of data written. if "max-size" set a
# large value (ie >256k), potentially result in large
# amounts of wasted disk space. setting value lower value
# (ie 64k or 32k) result in coss disk refusing cache
# larger objects until coss stripe has been filled within
# "max-stripe-waste" of maximum size (1mb).
#
# membufs=n defines number of "memory-only" stripes coss
# use. when cache hit performed on coss stripe before
# coss has reached overwrite-percent value object,
# coss use series of memory buffers hold object in
# while data sent client. define maximum
# number of memory-only buffers coss use. default value
# 10, use maximum of 10mb of memory buffers.
#
# maxfullbufs=n defines maximum number of stripes coss partition
# have in memory waiting freed (either because disk is
# under load , stripe unwritten, or because clients still
# transferring data objects using memory). in order try
# , maintain hit rate under load, coss reserve last
# 2 full stripes object hits. (ie coss cache_dir reject
# new objects when number of full stripes 2 less maxfullbufs)
#
# null store type:
#
# no options allowed or required
#
# common options:
#
# no-store, no new objects should stored cache_dir
#
# min-size=n, refers min object size storedir accept.
# it's used restrict storedir store large objects
# (e.g. aufs) while other storedirs optimized smaller objects
# (e.g. coss). defaults 0.
#
# max-size=n, refers max object size storedir supports.
# used choose storedir dump object.
# note: make optimal use of max-size limits should order
# cache_dir lines smallest max-size value first , the
# ones no max-size specification last.
#
# note coss, max-size must less coss_membuf_sz
# (hard coded @ 1 mb).
#
#default:
# cache_dir ufs /var/spool/squid 100 16 256

# tag: store_dir_select_algorithm
# set 'round-robin' alternative.
#
#default:
# store_dir_select_algorithm least-load

# tag: max_open_disk_fds
# avoid having disk i/o bottleneck squid can optionally
# bypass on-disk cache if more amount of disk file
# descriptors open.
#
# value of 0 indicates no limit.
#
#default:
# max_open_disk_fds 0

# tag: minimum_object_size (bytes)
# objects smaller size not saved on disk. the
# value specified in kilobytes, , default 0 kb, which
# means there no minimum.
#
#default:
# minimum_object_size 0 kb

# tag: maximum_object_size (bytes)
# objects larger size not saved on disk. the
# value specified in kilobytes, , default 4mb. if
# wish high bytes hit ratio, should probably
# increase (one 32 mb object hit counts 3200 10kb
# hits). if wish increase speed more want to
# save bandwidth should leave low.
#
# note: if using lfuda replacement policy should increase
# value maximize byte hit rate improvement of lfuda!
# see replacement_policy below discussion of policy.
#
# note 2: in debian default raised 20mb allowing cache
# of packages files in debian repositories. makes squid a
# proper proxy apt.
#
#default:
# maximum_object_size 20480 kb

# tag: cache_swap_low (percent, 0-100)
# tag: cache_swap_high (percent, 0-100)
#
# low- , high-water marks cache object replacement.
# replacement begins when swap (disk) usage above the
# low-water mark , attempts maintain utilization near the
# low-water mark. swap utilization gets close high-water
# mark object eviction becomes more aggressive. if utilization is
# close low-water mark less replacement done each time.
#
# defaults 90% , 95%. if have large cache, 5% be
# hundreds of mb. if case may wish set these
# numbers closer together.
#
#default:
# cache_swap_low 90
# cache_swap_high 95

# tag: update_headers on|off
# default squid updates stored http headers when receiving
# 304 response. set off if want disable this
# disk i/o performance reasons. disabling violates the
# http standard, , make liable problems it
# causes.
#
#default:
# update_headers on


# logfile options
# -----------------------------------------------------------------------------

# tag: logformat
# usage:
#
# logformat <name> <format specification>
#
# defines access log format.
#
# <format specification> string embedded % format codes
#
# % format codes follow same basic structure but
# formatcode optional. output strings automatically escaped
# required according context , output format
# modifiers not needed, can specified if explicit
# output format desired.
#
# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
#
# " output in quoted string format
# [ output in squid text log format used log_mime_hdrs
# # output in url quoted format
# ' output as-is
#
# - left aligned
# width field width. if starting 0 the
# output 0 padded
# {arg} argument such header name etc
#
# format codes:
#
# >a client source ip address
# >a client fqdn
# >p client source port
# <a server ip address or peer name
# la local ip address (http_port)
# lp local port number (http_port)
# oa our outgoing ip address (tcp_outgoing_address)
# ts seconds since epoch
# tu subsecond time (milliseconds)
# tl local time. optional strftime format argument
# default %d/%b/%y:%h:%m:%s %z
# tg gmt time. optional strftime format argument
# default %d/%b/%y:%h:%m:%s %z
# tr response time (milliseconds)
# >h request header. optional header name argument
# on format header[:[separator]element]
# <h reply header. optional header name argument
# >h
# un user name
# ul user name authentication
# ui user name ident
# user name ssl
# ue user name external acl helper
# hs http status code
# ss squid request status (tcp_miss etc)
# sh squid hierarchy status (default_parent etc)
# mt mime content type
# rm request method (get/post etc)
# ru request url
# rp request url-path excluding hostname
# rv request protocol version
# ea log string returned external acl
# <st reply size including http headers
# >st request size including http headers
# st request+reply size including http headers
# sn unique sequence number per log line entry
# % literal % character
#
# default formats available (which not need re-defining) are:
#
#logformat squid %ts.%03tu %6tr %>a %ss/%03hs %<st %rm %ru %un %sh/%<a %mt
#logformat squidmime %ts.%03tu %6tr %>a %ss/%03hs %<st %rm %ru %un %sh/%<a %mt [%>h] [%<h]
#logformat common %>a %ui %un [%tl] "%rm %ru http/%rv" %hs %<st %ss:%sh
#logformat combined %>a %ui %un [%tl] "%rm %ru http/%rv" %hs %<st "%{referer}>h" "%{user-agent}>h" %ss:%sh
#
#default:
# none

# tag: access_log
# these files log client request activities. has line every http or
# icp request. format is:
# access_log <filepath> [<logformat name> [acl acl ...]]
# access_log none [acl acl ...]]
#
# log specified file using specified format (which
# must defined in logformat directive) entries match
# acl's specified (which must defined in acl clauses).
# if no acl specified, requests logged file.
#
# disable logging of request use filepath "none", in case
# logformat name should not specified.
#
# log request via syslog specify filepath of "syslog":
#
# access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
# facility of:
# authpriv, daemon, local0 .. local7 or user.
#
# , priority of:
# err, warning, notice, info, debug.
access_log /var/log/squid/access.log squid

# tag: log_access allow|deny acl acl...
# options allows control requests gets logged
# access.log (see access_log directive). requests denied for
# logging not accounted in performance counters.
#
#default:
# none

# tag: logfile_daemon
# specify path logfile-writing daemon. daemon is
# used write access , store logs, if configured.
#
#default:
# logfile_daemon /usr/lib/squid/logfile-daemon

# tag: cache_log
# cache logging file. general information about
# cache's behavior goes. can increase amount of data
# logged file "debug_options" tag below.
#
#default:
# cache_log /var/log/squid/cache.log

# tag: cache_store_log
# logs activities of storage manager. shows which
# objects ejected cache, , objects are
# saved , how long. disable, enter "none". there are
# not utilities analyze data, can safely
# disable it.
#
#default:
# cache_store_log /var/log/squid/store.log

# tag: cache_swap_state
# location cache "swap.state" file. index file holds
# metadata of objects saved on disk. used rebuild
# cache during startup. file resides in each
# 'cache_dir' directory, may specify alternate
# pathname here. note must give full filename, not just
# directory. since index whole object
# list cannot periodically rotate it!
#
# if %s can used in file name replaced a
# representation of cache_dir name each / replaced
# '.'. needed allow adding/removing cache_dir
# lines when cache_swap_log being used.
#
# if have more 1 'cache_dir', , %s not used in name
# these swap logs have names such as:
#
# cache_swap_log.00
# cache_swap_log.01
# cache_swap_log.02
#
# numbered extension (which added automatically)
# corresponds order of 'cache_dir' lines in this
# configuration file. if change order of 'cache_dir'
# lines in file, these index files not correspond to
# correct 'cache_dir' entry (unless manually rename
# them). recommend not use option. is
# better keep these index files in each 'cache_dir' directory.
#
#default:
# none

# tag: logfile_rotate
# specifies number of logfile rotations make when you
# type 'squid -k rotate'. default 10, rotate
# extensions 0 through 9. setting logfile_rotate 0 will
# disable file name rotation, logfiles still closed
# , re-opened. enable rename logfiles
# before sending rotate signal.
#
# note, 'squid -k rotate' command sends usr1
# signal running squid process. in situations
# (e.g. on linux async i/o), usr1 used other
# purposes, -k rotate uses signal. best get
# in habit of using 'squid -k rotate' instead of 'kill -usr1
# <pid>'.
#
# note2, debian/linux default of logfile_rotate is
# zero, since includes external logfile-rotation methods.
#
#default:
# logfile_rotate 0

# tag: emulate_httpd_log on|off
# cache can emulate log file format many 'httpd'
# programs use. disable/enable emulation, set
# emulate_httpd_log 'off' or 'on'. default
# use native log format since includes useful
# information squid-specific log analyzers use.
#
#default:
# emulate_httpd_log off

# tag: log_ip_on_direct on|off
# log destination ip address in hierarchy log tag when going
# direct. earlier squid versions logged hostname here. if you
# prefer old way set off.
#
#default:
# log_ip_on_direct on

# tag: mime_table
# pathname squid's mime table. shouldn't need change
# this, default file contains examples , formatting
# information if do.
#
#default:
# mime_table /usr/share/squid/mime.conf

# tag: log_mime_hdrs on|off
# cache can record both request , response mime
# headers each http transaction. headers encoded
# safely , appear 2 bracketed fields @ end of
# access log (for either native or httpd-emulated log
# formats). enable logging set log_mime_hdrs 'on'.
#
#default:
# log_mime_hdrs off

# tag: useragent_log
# squid write user-agent field http requests
# filename specified here. default useragent_log
# disabled.
#
#default:
# none

# tag: referer_log
# squid write referer field http requests the
# filename specified here. default referer_log disabled.
# note "referer" misspelling of "referrer"
# misspelt version has been accepted http rfcs
# , accept both.
#
#default:
# none

# tag: pid_filename
# filename write process-id to. disable, enter "none".
#
#default:
# pid_filename /var/run/squid.pid

# tag: debug_options
# logging options set section,level each source file
# assigned unique section. lower levels result in less
# output, full debugging (level 9) can result in large
# log file, careful. magic word "all" sets debugging
# levels sections. recommend running with
# "all,1".
#
#default:
# debug_options all,1

# tag: log_fqdn on|off
# turn on if wish log qualified domain names
# in access.log. squid dns lookup of all
# ip's connecting it. can (in situations) increase
# latency, makes cache seem slower interactive
# browsing.
#
#default:
# log_fqdn off

# tag: client_netmask
# netmask client addresses in logfiles , cachemgr output.
# change protect privacy of cache clients.
# netmask of 255.255.255.0 log ip's in range with
# last digit set '0'.
#
#default:
# client_netmask 255.255.255.255

# tag: forward_log
# note: option available if squid rebuilt the
# --enable-forward-log option
#
# logs server-side requests.
#
# work in progress.
#
#default:
# none

# tag: strip_query_terms
# default, squid strips query terms requested urls before
# logging. protects user's privacy.
#
#default:
# strip_query_terms on

# tag: buffered_logs on|off
# cache.log log file written stdio functions, , such
# can buffered or unbuffered. default unbuffered.
# buffering can speed writing (though are
# unlikely need worry unless run tons of debugging
# enabled in case performance suffer badly anyway..).
#
#default:
# buffered_logs off

# tag: netdb_filename
# filename squid stores it's netdb state between restarts.
# disable, enter "none".
#
#default:
# netdb_filename /var/spool/squid/logs/netdb.state


# options ftp gatewaying
# -----------------------------------------------------------------------------

# tag: ftp_user
# if want anonymous login password more informative
# (and enable use of picky ftp servers), set something
# reasonable domain, wwwuser@somewhere.net
#
# reason why domainless default the
# request can made on behalf of user in domain,
# depending on how cache used.
# ftp server validate email address valid
# (for example perl.com).
#
#default:
# ftp_user squid@

# tag: ftp_list_width
# sets width of ftp listings. should set fit in
# width of standard browser. setting small
# can cut off long filenames when browsing ftp sites.
#
#default:
# ftp_list_width 32

# tag: ftp_passive
# if firewall not allow squid use passive
# connections, turn off option.
#
#default:
# ftp_passive on

# tag: ftp_sanitycheck
# security , data integrity reasons squid default performs
# sanity checks of addresses of ftp data connections ensure the
# data connection requested server. if need allow
# ftp connections servers using ip address data
# connection turn off.
#
#default:
# ftp_sanitycheck on

# tag: ftp_telnet_protocol
# ftp protocol officially defined use telnet protocol
# transport channel control connection. however, many
# implementations broken , not respect aspect of
# ftp protocol.
#
# if have trouble accessing files ascii code 255 in the
# path or similar problems involving ascii code can
# try setting directive off. if helps, report the
# operator of ftp server in question ftp server
# broken , not follow ftp standard.
#
#default:
# ftp_telnet_protocol on


# options external support programs
# -----------------------------------------------------------------------------

# tag: diskd_program
# specify location of diskd executable.
# note useful if have compiled in
# diskd 1 of store io modules.
#
#default:
# diskd_program /usr/lib/squid/diskd-daemon

# tag: unlinkd_program
# specify location of executable file deletion process.
#
#default:
# unlinkd_program /usr/lib/squid/unlinkd

# tag: pinger_program
# note: option available if squid rebuilt the
# --enable-icmp option
#
# specify location of executable pinger process.
#
#default:
# pinger_program /usr/lib/squid/pinger


# options url rewriting
# -----------------------------------------------------------------------------

# tag: storeurl_rewrite_program
# specify location of executable store url rewriter.
# store url rewriter allows urls "normalised" ; mapping
# multiple urls single url representation cache operations.
#
# example, if request object at:
#
# http://srv1.example.com/image.gif
#
# , subsequent request for:
#
# http://srv2.example.com/image.gif
#
# squid treat these both different urls , cache them
# seperately.
#
# normal case, increasing number of sites
# distribute same content between multiple frontend hosts.
# store url rewriter allows rewrite these urls 1 url
# use cache operations, not -fetches-. fetches still
# made original site, stored store url rewritten
# url store key.
#
# each requested url rewriter receive on line format
#
# url <sp> client_ip "/" fqdn <sp> user <sp> method <sp> urlgroup
# [<sp> kvpairs] <nl>
#
# in future, rewriter interface extended with
# key=value pairs ("kvpairs" shown above). rewriter programs
# should prepared receive , possibly ignore additional
# whitespace-separated tokens on each input line.
#
# , rewriter may return rewritten url. other components of
# request line not need returned (ignored if are).
#
# default, store url rewriter not used.
#
# please note - normal url rewriter rewrites squid's _destination_
# url - ie, fetches. store url rewriter rewrites squid's
# _store_ url - ie, uses store , retrieve objects.
#
#default:
# none

# tag: storeurl_rewrite_children
#
#
#default:
# storeurl_rewrite_children 5

# tag: storeurl_rewrite_concurrency
#
#
#default:
# storeurl_rewrite_concurrency 0

# tag: url_rewrite_program
# specify location of executable url rewriter.
# since can perform function there isn't 1 included.
#
# each requested url rewriter receive on line format
#
# url <sp> client_ip "/" fqdn <sp> user <sp> method <sp> urlgroup
# [<sp> kvpairs] <nl>
#
# in future, rewriter interface extended with
# key=value pairs ("kvpairs" shown above). rewriter programs
# should prepared receive , possibly ignore additional
# whitespace-separated tokens on each input line.
#
# , rewriter may return rewritten url. other components of
# request line not need returned (ignored if are).
#
# rewriter can indicate client-side redirect should
# performed new url. done prefixing returned
# url "301:" (moved permanently) or 302: (moved temporarily).
#
# can return "urlgroup" can subsequently matched
# in cache_peer_access , similar acl driven rules. urlgroup is
# returned prefixing returned url "!urlgroup!".
#
# default, url rewriter not used.
#
#default:
# none

# tag: url_rewrite_children
# number of redirector processes spawn. if start
# few squid have wait them process backlog of
# urls, slowing down. if start many use ram
# , other system resources.
#
#default:
# url_rewrite_children 5

# tag: url_rewrite_concurrency
# number of requests each redirector helper can handle in
# parallel. defaults 0 indicates redirector
# old-style single threaded redirector.
#
# when directive set value >= 1 protocol
# used communicate helper modified include
# request id in front of request/response. request
# id request must echoed response
# request.
#
#default:
# url_rewrite_concurrency 0

# tag: url_rewrite_host_header
# default squid rewrites host: header in redirected
# requests. if running accelerator may
# not wanted effect of redirector.
#
# warning: entries cached on result of url rewriting
# process, careful if have domain-virtual hosts.
#
#default:
# url_rewrite_host_header on

# tag: url_rewrite_access
# if defined, access list specifies requests are
# sent redirector processes. default requests
# sent.
#
#default:
# none

# tag: storeurl_access
#
#
#default:
# none

# tag: redirector_bypass
# when 'on', request not go through the
# redirector if redirectors busy. if 'off'
# , redirector queue grows large, squid exit
# fatal error , ask increase number of
# redirectors. should enable if redirectors
# not critical caching system. if use
# redirectors access control, , enable option,
# users may have access pages should not
# allowed request.
#
#default:
# redirector_bypass off

# tag: location_rewrite_program
# specify location of executable location rewriter,
# used rewrite server generated redirects. used in
# conjunction url_rewrite_program
#
# each location header received location rewriter receive
# 1 line format:
#
# location url <sp> requested url <sp> urlgroup <nl>
#
# , rewriter may return rewritten location url or blank line.
# other components of request line not need returned
# (ignored if are).
#
# default, location rewriter not used.
#
#default:
# none

# tag: location_rewrite_children
# number of location rewriting processes spawn. if start
# few squid have wait them process backlog of
# urls, slowing down. if start many use ram
# , other system resources.
#
#default:
# location_rewrite_children 5

# tag: location_rewrite_concurrency
# number of requests each location rewriter helper can handle in
# parallel. defaults 0 indicates helper
# old-style singlethreaded helper.
#
#default:
# location_rewrite_concurrency 0

# tag: location_rewrite_access
# if defined, access list specifies requests are
# sent location rewriting processes. default location
# headers sent.
#
#default:
# none


# options tuning cache
# -----------------------------------------------------------------------------

# tag: cache
# list of acl elements which, if matched, cause request to
# not satisfied cache , reply not cached.
# in other words, use force objects never cached.
#
# must use word 'deny' indicate acl names should
# not cached.
#
# default allow cached.
#
#default:
# none

# tag: max_stale time-units
# option puts upper limit on how stale content squid
# serve cache if cache validation fails.
#
#default:
# max_stale 1 week

# tag: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
#
# default, regular expressions case-sensitive. make
# them case-insensitive, use -i option.
#
# 'min' time (in minutes) object without explicit
# expiry time should considered fresh. recommended
# value 0, higher values may cause dynamic applications
# erroneously cached unless application designer
# has taken appropriate actions.
#
# 'percent' percentage of objects age (time since last
# modification age) object without explicit expiry time
# considered fresh.
#
# 'max' upper limit on how long objects without explicit
# expiry time considered fresh.
#
# options: override-expire
# override-lastmod
# reload-into-ims
# ignore-reload
# ignore-no-cache
# ignore-private
# ignore-auth
# stale-while-revalidate=nn
# ignore-stale-while-revalidate
# max-stale=nn
# negative-ttl=nn
#
# override-expire enforces min age if server
# sent explicit expiry time (e.g., the
# expires: header or cache-control: max-age). doing this
# violates http standard. enabling feature
# make liable problems causes.
#
# note: not enforce staleness - extends
# freshness / min. if server returns expires time which
# longer max time, squid still consider
# object fresh period of time.
#
# override-lastmod enforces min age on objects
# modified recently.
#
# reload-into-ims changes client no-cache or ``reload''
# if-modified-since requests. doing violates the
# http standard. enabling feature make you
# liable problems causes.
#
# ignore-reload ignores client no-cache or ``reload''
# header. doing violates http standard. enabling
# feature make liable problems which
# causes.
#
# ignore-no-cache ignores ``pragma: no-cache'' and
# ``cache-control: no-cache'' headers received server.
# http rfc never allows use of (pragma) header
# server, client, though plenty of servers
# send anyway.
#
# ignore-private ignores ``cache-control: private''
# headers received server. doing violates
# http standard. enabling feature make you
# liable problems causes.
#
# ignore-auth caches responses requests authorization,
# if originserver had sent ``cache-control: public''
# in response header. doing violates http standard.
# enabling feature make liable problems which
# causes.
#
# stale-while-revalidate=nn makes squid perform asyncronous
# cache validation if object isn't more stale nn.
# doing violates http standard. enabling this
# feature make liable problems it
# causes.
#
# ignore-stale-while-revalidate makes squid ignore 'cache-control:
# stale-while-revalidate=nn' headers received server. can be
# combined stale-while-revalidate=nn override server provided
# value.
#
# max-stale=nn provided maximum staleness factor. squid won't
# serve objects more stale if failed to
# validate object.
#
# negative-ttl=nn overrides global negative_ttl parameter
# selectively urls matching pattern (in seconds).
#
# cached object is:
#
# fresh if expires < now, else stale
# stale if age > max
# fresh if lm-factor < percent, else stale
# fresh if age < min
# else stale
#
# refresh_pattern lines checked in order listed here.
# first entry matches used. if none of entries
# match default used.
#
# note, must uncomment default lines if want
# change one. default setting active if none is
# used.
#
#suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (release|package(.gz)*)$ 0 20% 2880
# example line deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320

# tag: quick_abort_min (kb)
# tag: quick_abort_max (kb)
# tag: quick_abort_pct (percent)
# cache default continues downloading aborted requests
# completed (less 16 kb remaining). this
# may undesirable on slow (e.g. slip) links and/or busy
# caches. impatient users may tie file descriptors and
# bandwidth repeatedly requesting , aborting
# downloads.
#
# when user aborts request, squid check the
# quick_abort values amount of data transfered until
# then.
#
# if transfer has less 'quick_abort_min' kb remaining,
# finish retrieval.
#
# if transfer has more 'quick_abort_max' kb remaining,
# abort retrieval.
#
# if more 'quick_abort_pct' of transfer has completed,
# finish retrieval.
#
# if not want retrieval continue after client
# has aborted, set both 'quick_abort_min' , 'quick_abort_max'
# '0 kb'.
#
# if want retrievals continue if being
# cached set 'quick_abort_min' '-1 kb'.
#
#default:
# quick_abort_min 16 kb
# quick_abort_max 16 kb
# quick_abort_pct 95

# tag: read_ahead_gap buffer-size
# amount of data cache buffer ahead of has been
# sent client when retrieving object server.
#
#default:
# read_ahead_gap 16 kb

# tag: negative_ttl time-units
# time-to-live (ttl) failed requests. types of
# failures (such "connection refused" , "404 not found") are
# negatively-cached configurable amount of time. the
# default 5 minutes. note different from
# negative caching of dns lookups.
#
#default:
# negative_ttl 5 minutes

# tag: positive_dns_ttl time-units
# upper limit on how long squid cache positive dns responses.
# default 6 hours (360 minutes). directive must set
# larger negative_dns_ttl.
#
#default:
# positive_dns_ttl 6 hours

# tag: negative_dns_ttl time-units
# time-to-live (ttl) negative caching of failed dns lookups.
# sets lower cache limit on positive lookups.
# minimum value 1 second, , not recommendable go
# below 10 seconds.
#
#default:
# negative_dns_ttl 1 minute

# tag: range_offset_limit (bytes)
# sets upper limit on how far the file range request
# may cause squid prefetch whole file. if beyond this
# limit squid forwards range request , result
# not cached.
#
# stop far ahead range request (lets start @ 17mb)
# making squid fetch whole object point before
# sending client.
#
# value of -1 causes squid fetch object the
# beginning may cache result. (2.0 style)
#
# value of 0 causes squid never fetch more the
# client requested. (default)
#
#default:
# range_offset_limit 0 kb

# tag: minimum_expiry_time (seconds)
# minimum caching time according (expires - date)
# headers squid honors if object can't revalidated
# defaults 60 seconds. in reverse proxy enorinments it
# might desirable honor shorter object lifetimes. it
# better make server return a
# meaningful last-modified header however.
#
#default:
# minimum_expiry_time 60 seconds

# tag: store_avg_object_size (kbytes)
# average object size, used estimate number of objects your
# cache can hold. default 13 kb.
#
#default:
# store_avg_object_size 13 kb

# tag: store_objects_per_bucket
# target number of objects per bucket in store hash table.
# lowering value increases total number of buckets and
# storage maintenance rate. default 20.
#
#default:
# store_objects_per_bucket 20


# http options
# -----------------------------------------------------------------------------

# tag: request_header_max_size (kb)
# specifies maximum size http headers in request.
# request headers relatively small (about 512 bytes).
# placing limit on request header size catch certain
# bugs (for example persistent connections) , possibly
# buffer-overflow or denial-of-service attacks.
#
#default:
# request_header_max_size 20 kb

# tag: reply_header_max_size (kb)
# specifies maximum size http headers in reply.
# reply headers relatively small (about 512 bytes).
# placing limit on reply header size catch certain
# bugs (for example persistent connections) , possibly
# buffer-overflow or denial-of-service attacks.
#
#default:
# reply_header_max_size 20 kb

# tag: request_body_max_size (kb)
# specifies maximum size http request body.
# in other words, maximum size of put/post request.
# user attempts send request body larger
# limit receives "invalid request" error message.
# if set parameter 0 (the default), there will
# no limit imposed.
#
#default:
# request_body_max_size 0 kb

# tag: broken_posts
# list of acl elements which, if matched, causes squid send
# crlf pair after body of put/post request.
#
# http servers has broken implementations of put/post,
# , rely on crlf pair sent www clients.
#
# quote rfc2616 section 4.1 on matter:
#
# note: buggy http/1.0 client implementations generate an
# crlf's after post request. restate explicitly
# forbidden bnf, http/1.1 client must not preface or follow
# request crlf.
#
#example:
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
#
#default:
# none

# tag: upgrade_http0.9
# access list controls when http/0.9 responses upgraded
# our current http version. default upgrade.
#
# applications expect able respond non-http
# responses , clients gets confused if response upgraded.
# example shoutcast servers used mp3 streaming.
#
# enable flexibility in detection of such applications
# first line of response available in internal header
# x-http09-first-line use in rep_header acl.
#
# don't upgrade shoutcast responses http
acl shoutcast rep_header x-http09-first-line ^icy.[0-9]
upgrade_http0.9 deny shoutcast

# tag: via on|off
# if set (default), squid include via header in requests and
# replies required rfc2616.
#
#default:
# via on

# tag: cache_vary
# when 'cache_vary' set off, response have a
# vary header not stored in cache.
#
#default:
# cache_vary on

# tag: broken_vary_encoding
# many servers have broken support on-the-fly content-encoding,
# returning same etag on both plain , gzip:ed variants.
# vary replies matching access list have cache split
# on accept-encoding header of request , not trusting the
# etag unique.
#
# apache mod_gzip , mod_deflate known broken don't trust
# apache signal etag correctly on such responses
acl apache rep_header server ^apache
broken_vary_encoding allow apache

# tag: collapsed_forwarding (on|off)
# option enables multiple requests same uri be
# processed 1 request. disabled avoid increased
# latency on dynamic content, there can benefit enabling
# in accelerator setups web servers bottleneck
# , reliable , returns cacheable information.
#
#default:
# collapsed_forwarding off

# tag: refresh_stale_hit (time)
# option changes refresh algorithm allow concurrent
# requests while object being refreshed processed as
# cache hits if object expired less x seconds ago. default
# 0 disable feature. option interesting
# in accelerator setups few objects accessed very
# frequently.
#
#default:
# refresh_stale_hit 0 seconds

# tag: ie_refresh on|off
# microsoft internet explorer until version 5.5 service
# pack 1 has issue transparent proxies, wherein it
# impossible force refresh. turning on provides
# partial fix problem, causing ims-refresh
# requests older ie versions check origin server
# fresh content. reduces hit ratio amount
# (~10% in experience), allows users get
# fresh content when want it. note because squid
# cannot tell if user using 5.5 or 5.5sp1, behavior
# of 5.5 unchanged old versions of squid (i.e. a
# forced refresh impossible). newer versions of ie will,
# hopefully, continue have new behavior , be
# handled based on assumption. option defaults to
# old squid behavior, better hit ratios but
# worse clients using ie, if need able to
# force fresh content.
#
#default:
# ie_refresh off

# tag: vary_ignore_expire on|off
# many http servers supporting vary gives such objects
# immediate expiry time no cache-control header
# when requested http/1.0 client. option
# enables squid ignore such expiry times until
# http/1.1 implemented.
# warning: may cause varying
# objects not intended caching cached.
#
#default:
# vary_ignore_expire off

# tag: extension_methods
# squid knows standardized http request methods.
# can add 20 additional "extension" methods here.
extension_methods report merge mkactivity checkout

# tag: request_entities
# squid defaults deny , head requests request entities,
# meaning of such requests undefined in http standard
# if not explicitly forbidden.
#
# set directive on if have clients insists
# on sending request entities in or head requests. warned
# there server software (both proxies , web servers) which
# can fail process kind of request may make you
# vulnerable cache pollution attacks if enabled.
#
#default:
# request_entities off

# tag: header_access
# usage: header_access header_name allow|deny [!]aclname ...
#
# warning: doing violates http standard. enabling
# feature make liable problems it
# causes.
#
# option replaces old 'anonymize_headers' , the
# older 'http_anonymizer' option much
# more configurable. new method creates list of acls
# each header, allowing fine-tuned header
# mangling.
#
# can specify known headers header name.
# other headers reclassified 'other'. can also
# refer headers 'all'.
#
# example, achieve same behavior old
# 'http_anonymizer standard' option, should use:
#
# header_access deny all
# header_access referer deny all
# header_access server deny all
# header_access user-agent deny all
# header_access www-authenticate deny all
# header_access link deny all
#
# or, reproduce old 'http_anonymizer paranoid' feature
# should use:
#
# header_access allow allow all
# header_access authorization allow all
# header_access www-authenticate allow all
# header_access proxy-authorization allow all
# header_access proxy-authenticate allow all
# header_access cache-control allow all
# header_access content-encoding allow all
# header_access content-length allow all
# header_access content-type allow all
# header_access date allow all
# header_access expires allow all
# header_access host allow all
# header_access if-modified-since allow all
# header_access last-modified allow all
# header_access location allow all
# header_access pragma allow all
# header_access accept allow all
# header_access accept-charset allow all
# header_access accept-encoding allow all
# header_access accept-language allow all
# header_access content-language allow all
# header_access mime-version allow all
# header_access retry-after allow all
# header_access title allow all
# header_access connection allow all
# header_access proxy-connection allow all
# header_access deny all
#
# default, headers allowed (no anonymizing is
# performed).
#
#default:
# none

# tag: header_replace
# usage: header_replace header_name message
# example: header_replace user-agent nutscrape/1.0 (cp/m; 8-bit)
#
# option allows change contents of headers
# denied header_access above, replacing them with
# fixed string. replaces old fake_user_agent
# option.
#
# default, headers removed if denied.
#
#default:
# none

# tag: relaxed_header_parser on|off|warn
# in default "on" setting squid accepts forms
# of non-compliant http messages unambiguous
# sending application intended if message
# not correctly formatted. messages normalized
# correct form when forwarded squid.
#
# if set "warn" warning emitted in cache.log
# each time such http error encountered.
#
# if set "off" such http errors cause request
# or response rejected.
#
#default:
# relaxed_header_parser on

# tag: server_http11 on|off
# option enables use ot http/1.1 on outgoing "direct" requests.
# see http11 cache_peer option.
# note: http/1.1 support still incomplete, an
# internal http/1.0 hop. result 1xx responses not
# forwarded.
#
#default:
# server_http11 off

# tag: ignore_expect_100 on|off
# option makes squid ignore expect: 100-continue header present
# in request.
# note: enabling http protocol violation, client may
# not handle well..
#
#default:
# ignore_expect_100 off

# tag: external_refresh_check
# option defines external helper determining whether to
# refresh stale response. called when squid receives a
# request cached response stale; helper can either
# confirm response stale stale response, or
# extend freshness of response (thereby avoiding refresh
# check) fresh response, along freshness=nnn keyword.
#
# external_refresh_check [options] format.. /path/to/helper [helper_args]
#
# if present, helper_args passed helper on command
# line verbatim.
#
# options:
#
# children=n number of processes spawn service external
# refresh checks (default 5).
# concurrency=n concurrency level per process. used with
# helpers capable of processing more 1 query
# @ time.
#
# when using concurrency option, protocol changed introducing
# query channel tag infront of request/response. query channel
# tag number between 0 , concurrency-1.
#
# format specifications:
#
# %cache_uri uri of cached response
# %res{header} http response header value
# %age age of cached response
#
# request sent helper consists of data in format
# specification in order specified.
#
# helper receives lines per above format specification, and
# returns lines starting ok or err indicating validity of
# request , optionally followed additional keywords with
# more details. url escaping used protect each value in both
# requests , responses.
#
# general result syntax:
#
# fresh / stale keyword=value ...
#
# defined keywords:
#
# freshness=nnn number of seconds extend freshness of
# response by.
# log=string string logged in access.log. available as
# %ef in logformat specifications.
# res{header}=value
# value update response headers with. if already
# present, supplied value replaces
# cached value.
#
# in event of helper-related error (e.g., overload), squid
# default stale.
#
#default:
# none


# timeouts
# -----------------------------------------------------------------------------

# tag: forward_timeout time-units
# parameter specifies how long squid should @ attempt in
# finding forwarding path request before giving up.
#
#default:
# forward_timeout 4 minutes

# tag: connect_timeout time-units
# parameter specifies how long wait tcp connect to
# requested server or peer complete before squid should
# attempt find path forward request.
#
#default:
# connect_timeout 1 minute

# tag: peer_connect_timeout time-units
# parameter specifies how long wait pending tcp
# connection peer cache. default 30 seconds. you
# may set different timeout values individual neighbors
# 'connect-timeout' option on 'cache_peer' line.
#
#default:
# peer_connect_timeout 30 seconds

# tag: read_timeout time-units
# read_timeout applied on server-side connections. after
# each successful read(), timeout extended this
# amount. if no data read again after amount of time,
# request aborted , logged err_read_timeout. the
# default 15 minutes.
#
#default:
# read_timeout 15 minutes

# tag: request_timeout
# how long wait http request after initial
# connection establishment.
#
#default:
# request_timeout 5 minutes

# tag: persistent_request_timeout
# how long wait next http request on persistent
# connection after previous request completes.
#
#default:
# persistent_request_timeout 2 minutes

# tag: client_lifetime time-units
# maximum amount of time client (browser) allowed to
# remain connected cache process. protects cache
# having lot of sockets (and hence file descriptors) tied up
# in close_wait state remote clients go away without
# shutting down (either because of network failure or
# because of poor client implementation). default one
# day, 1440 minutes.
#
# note: default value intended larger any
# client ever need connected cache. you
# should change client_lifetime last resort.
# if seem have many client connections tying up
# filedescriptors, recommend first tuning read_timeout,
# request_timeout, persistent_request_timeout , quick_abort values.
#
#default:
# client_lifetime 1 day

# tag: half_closed_clients
# clients may shutdown sending side of tcp
# connections, while leaving receiving sides open. sometimes,
# squid can not tell difference between half-closed , a
# fully-closed tcp connection. default, half-closed client
# connections kept open until read(2) or write(2) on the
# socket returns error. change option 'off' , squid
# close client connections when read(2) returns
# "no more data read."
#
#default:
# half_closed_clients on

# tag: pconn_timeout
# timeout idle persistent connections servers , other
# proxies.
#
#default:
# pconn_timeout 1 minute

# tag: ident_timeout
# maximum time wait ident lookups complete.
#
# if high, , enabled ident lookups untrusted
# users, might susceptible denial-of-service having
# many ident requests going @ once.
#
#default:
# ident_timeout 10 seconds

# tag: shutdown_lifetime time-units
# when sigterm or sighup received, cache put into
# "shutdown pending" mode until active sockets closed.
# value lifetime set open descriptors
# during shutdown mode. active clients after many
# seconds receive 'timeout' message.
#
#default:
# shutdown_lifetime 30 seconds


# administrative parameters
# -----------------------------------------------------------------------------

# tag: cache_mgr
# email-address of local cache manager receive
# mail if cache dies. default "webmaster".
#
#default:
# cache_mgr webmaster

# tag: mail_from
# from: email-address mail sent when cache dies.
# default use 'appname@unique_hostname'.
# default appname value "squid", can changed into
# src/globals.h before building squid.
#
#default:
# none

# tag: mail_program
# email program used send mail if cache dies.
# default "mail". specified program must comply
# standard unix mail syntax:
# mail-program recipient < mailfile
#
# optional command line options can specified.
#
#default:
# mail_program mail

# tag: cache_effective_user
# if start squid root, change effective/real
# uid/gid user specified below. default change
# uid proxy. if define cache_effective_user, not
# cache_effective_group, squid sets gid effective
# user's default group id (taken password file) and
# supplementary group list from groups membership of
# cache_effective_user.
#
#default:
# cache_effective_user proxy

# tag: cache_effective_group
# if want squid run specific gid regardless of
# group memberships of effective user set this
# group (or gid) want squid run as. when set
# other group privileges of effective user ignored
# , gid effective. if squid not started as
# root user starting squid must member of specified
# group.
#
#default:
# none

# tag: httpd_suppress_version_string on|off
# suppress squid version string info in http headers , html error pages.
#
#default:
# httpd_suppress_version_string off

# tag: visible_hostname
# if want present special hostname in error messages, etc,
# define this. otherwise, return value of gethostname()
# used. if have multiple caches in cluster and
# errors ip-forwarding must set them have individual
# names setting.
#
#default:
# none

# tag: unique_hostname
# if want have multiple machines same
# 'visible_hostname' must give each machine different
# 'unique_hostname' forwarding loops can detected.
#
#default:
# none

# tag: hostname_aliases
# list of other dns names cache has.
#
#default:
# none

# tag: umask
# minimum umask should enforced while proxy
# running, in addition umask set @ startup.
#
# note: should start 0 indicate normal octal
# representation of umasks
#
#default:
# umask 027


# options cache registration service
# -----------------------------------------------------------------------------
#
# section contains parameters (optional) cache
# announcement service. service provided help
# cache administrators locate 1 in order join or
# create cache hierarchies.
#
# 'announcement' message sent (via udp) registration
# service squid. default, announcement message not
# sent unless enable 'announce_period' below.
#
# announcement message includes hostname, plus the
# following information configuration file:
#
# http_port
# icp_port
# cache_mgr
#
# current information processed regularly , made
# available on web @ http://www.ircache.net/cache/tracker/.

# tag: announce_period
# how send cache announcements. the
# default `0' disables sending announcement
# messages.
#
# enable announcing cache, uncomment line
# below.
#
#default:
# announce_period 0
#
#to enable announcing cache, uncomment line below.
#announce_period 1 day

# tag: announce_host
# tag: announce_file
# tag: announce_port
# announce_host , announce_port set hostname , port
# number registration message sent.
#
# hostname default 'tracker.ircache.net' , port will
# default default 3131. if 'filename' argument given,
# contents of file included in announce
# message.
#
#default:
# announce_host tracker.ircache.net
# announce_port 3131


# httpd-accelerator options
# -----------------------------------------------------------------------------

# tag: httpd_accel_no_pmtu_disc on|off
# in many setups of transparently intercepting proxies path-mtu
# discovery can not work on traffic towards clients. is
# case when intercepting device not track
# connections , fails forward icmp must fragment messages
# cache server.
#
# if have such setup , experience clients
# sporadically hang or never complete requests set on.
#
#default:
# httpd_accel_no_pmtu_disc off


# delay pool parameters
# -----------------------------------------------------------------------------

# tag: delay_pools
# represents number of delay pools used. example,
# if have 1 class 2 delay pool , 1 class 3 delays pool, you
# have total of 2 delay pools.
#
#default:
# delay_pools 0

# tag: delay_class
# defines class of each delay pool. there must one
# delay_class line each delay pool. example, define two
# delay pools, 1 of class 2 , 1 of class 3, settings above
# , here be:
#
#example:
# delay_pools 2 # 2 delay pools
# delay_class 1 2 # pool 1 class 2 pool
# delay_class 2 3 # pool 2 class 3 pool
#
# delay pool classes are:
#
# class 1 limited single aggregate
# bucket.
#
# class 2 limited single aggregate
# bucket "individual" bucket chosen
# bits 25 through 32 of ip address.
#
# class 3 limited single aggregate
# bucket "network" bucket chosen
# bits 17 through 24 of ip address , a
# "individual" bucket chosen bits 17 through
# 32 of ip address.
#
# note: if ip address a.b.c.d
# -> bits 25 through 32 "d"
# -> bits 17 through 24 "c"
# -> bits 17 through 32 "c * 256 + d"
#
#default:
# none

# tag: delay_access
# used determine delay pool request falls into.
#
# delay_access sorted per pool , matching starts pool 1,
# pool 2, ..., , pool n. first delay pool the
# request allowed selected request. if not allow
# request pool request not delayed (default).
#
# example, if want some_big_clients in delay
# pool 1 , lotsa_little_clients in delay pool 2:
#
#example:
# delay_access 1 allow some_big_clients
# delay_access 1 deny all
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
#
#default:
# none

# tag: delay_parameters
# defines parameters delay pool. each delay pool has
# number of "buckets" associated it, explained in the
# description of delay_class. class 1 delay pool, syntax is:
#
#delay_parameters pool aggregate
#
# class 2 delay pool:
#
#delay_parameters pool aggregate individual
#
# class 3 delay pool:
#
#delay_parameters pool aggregate network individual
#
# variables here are:
#
# pool pool number - ie, number between 1 , the
# number specified in delay_pools used in
# delay_class lines.
#
# aggregate "delay parameters" aggregate bucket
# (class 1, 2, 3).
#
# individual "delay parameters" individual
# buckets (class 2, 3).
#
# network "delay parameters" network buckets
# (class 3).
#
# pair of delay parameters written restore/maximum, restore is
# number of bytes (not bits - modem , network speeds usually
# quoted in bits) per second placed bucket, , maximum the
# maximum number of bytes can in bucket @ time.
#
# example, if delay pool number 1 class 2 delay pool in the
# above example, , being used strictly limit each host 64kbps
# (plus overheads), no overall limit, line is:
#
#delay_parameters 1 -1/-1 8000/8000
#
# note figure -1 used represent "unlimited".
#
# and, if delay pool number 2 class 3 delay pool in above
# example, , want limit total of 256kbps (strict limit)
# each 8-bit network permitted 64kbps (strict limit) , each
# individual host permitted 4800bps bucket maximum size of 64kb
# permit decent web page downloaded @ decent speed
# (if network not being limited due overuse) slow down
# large downloads more significantly:
#
#delay_parameters 2 32000/32000 8000/8000 600/8000
#
# there must 1 delay_parameters line each delay pool.
#
#default:
# none

# tag: delay_initial_bucket_level (percent, 0-100)
# initial bucket percentage used determine how put
# in each bucket when squid starts, reconfigured, or first notices
# host accessing (in class 2 , class 3, individual hosts and
# networks have buckets associated them once have been
# "seen" squid).
#
#default:
# delay_initial_bucket_level 50


# wccpv1 , wccpv2 configuration options
# -----------------------------------------------------------------------------

# tag: wccp_router
# tag: wccp2_router
# use option define wccp ``home'' router for
# squid.
#
# wccp_router supports single wccp(v1) router
#
# wccp2_router supports multiple wccpv2 routers
#
# 1 of 2 may used @ same time , defines
# version of wccp use.
#
#default:
# wccp_router 0.0.0.0

# tag: wccp_version
# directive relevant if need set wccp(v1)
# old , end-of-life cisco routers. in other
# setups must left unset or @ default setting.
# defines internal version in wccp(v1) protocol,
# version 4 being officially documented protocol.
#
# according users, cisco ios 11.2 , earlier only
# support wccp version 3. if you're using or earlier
# version of ios, may need change value 3, otherwise
# not specify parameter.
#
#default:
# wccp_version 4

# tag: wccp2_rebuild_wait
# if enabled squid wait cache dir rebuild finish
# before sending first wccp2 hereiam packet
#
#default:
# wccp2_rebuild_wait on

# tag: wccp2_forwarding_method
# wccp2 allows setting of forwarding methods between the
# router/switch , cache. valid values follows:
#
# 1 - gre encapsulation (forward packet in gre/wccp tunnel)
# 2 - l2 redirect (forward packet using layer 2/mac rewriting)
#
# (as of ios 12.4) cisco routers support gre.
# cisco switches support l2 redirect assignment method.
#
#default:
# wccp2_forwarding_method 1

# tag: wccp2_return_method
# wccp2 allows setting of return methods between the
# router/switch , cache packets cache
# decides not handle. valid values follows:
#
# 1 - gre encapsulation (forward packet in gre/wccp tunnel)
# 2 - l2 redirect (forward packet using layer 2/mac rewriting)
#
# (as of ios 12.4) cisco routers support gre.
# cisco switches support l2 redirect assignment.
#
# if "ip wccp redirect exclude in" command has been
# enabled on cache interface, still safe for
# proxy server use l2 redirect method if this
# option set gre.
#
#default:
# wccp2_return_method 1

# tag: wccp2_assignment_method
# wccp2 allows setting of methods assign wccp hash
# valid values follows:
#
# 1 - hash assignment
# 2 - mask assignment
#
# general rule, cisco routers support hash assignment method
# , cisco switches support mask assignment method.
#
#default:
# wccp2_assignment_method 1

# tag: wccp2_service
# wccp2 allows multiple traffic services. there two
# types: "standard" , "dynamic". standard type defines
# 1 service id - http (id 0). dynamic service ids can from
# 51 255 inclusive. in order use dynamic service id
# 1 must define type of traffic redirected; done
# using wccp2_service_info option.
#
# "standard" type not require wccp2_service_info option,
# specifying service id suffice.
#
# md5 service authentication can enabled adding
# "password=<password>" end of service declaration.
#
# examples:
#
# wccp2_service standard 0 # 'web-cache' standard service
# wccp2_service dynamic 80 # dynamic service type be
# # fleshed out subsequent options.
# wccp2_service standard 0 password=foo
#
#
#default:
# wccp2_service standard 0

# tag: wccp2_service_info
# dynamic wccpv2 services require further information define the
# traffic wish have diverted.
#
# format is:
#
# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
# priority=<priority> ports=<port>,<port>..
#
# relevant wccpv2 flags:
# + src_ip_hash, dst_ip_hash
# + source_port_hash, dst_port_hash
# + src_ip_alt_hash, dst_ip_alt_hash
# + src_port_alt_hash, dst_port_alt_hash
# + ports_source
#
# port list can 1 8 entries.
#
# example:
#
# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
# priority=240 ports=80
#
# note: service id must have been defined previous
# 'wccp2_service dynamic <id>' entry.
#
#default:
# none

# tag: wccp2_weight
# each cache server gets assigned set of destination
# hash proportional weight.
#
#default:
# wccp2_weight 10000

# tag: wccp_address
# tag: wccp2_address
# use option if require wccp use specific
# interface address.
#
# default behavior not bind specific address.
#
#default:
# wccp_address 0.0.0.0
# wccp2_address 0.0.0.0


# persistent connection handling
# -----------------------------------------------------------------------------
#
# see "pconn_timeout" in timeouts section

# tag: client_persistent_connections
# tag: server_persistent_connections
# persistent connection support clients , servers. by
# default, squid uses persistent connections (when allowed)
# clients , servers. can use these options to
# disable persistent connections clients and/or servers.
#
#default:
# client_persistent_connections on
# server_persistent_connections on

# tag: persistent_connection_after_error
# directive use of persistent connections after
# http errors can disabled. useful if have clients
# fail handle errors on persistent connections proper.
#
#default:
# persistent_connection_after_error off

# tag: detect_broken_pconn
# servers have been found incorrectly signal use
# of http/1.0 persistent connections on replies not
# compatible, causing significant delays. server problem
# has been seen on redirects.
#
# enabling directive squid attempts detect such
# broken replies , automatically assume reply finished
# after 10 seconds timeout.
#
#default:
# detect_broken_pconn off


# cache digest options
# -----------------------------------------------------------------------------

# tag: digest_generation
# controls whether server generate cache digest
# of contents.
#
#default:
# digest_generation on

# tag: digest_bits_per_entry
# number of bits of server's cache digest which
# associated digest entry given http
# method , url (public key) combination. default 5.
#
#default:
# digest_bits_per_entry 5

# tag: digest_rebuild_period (seconds)
# wait time between cache digest rebuilds.
#
#default:
# digest_rebuild_period 1 hour

# tag: digest_rewrite_period (seconds)
# wait time between cache digest writes disk.
#
#default:
# digest_rewrite_period 1 hour

# tag: digest_swapout_chunk_size (bytes)
# number of bytes of cache digest write to
# disk @ time. defaults 4096 bytes (4kb), squid
# default swap page.
#
#default:
# digest_swapout_chunk_size 4096 bytes

# tag: digest_rebuild_chunk_percentage (percent, 0-100)
# percentage of cache digest scanned @ a
# time. default set 10% of cache digest.
#
#default:
# digest_rebuild_chunk_percentage 10


# snmp options
# -----------------------------------------------------------------------------

# tag: snmp_port
# squid can serve statistics , status information via snmp.
# default listens port 3401 on machine. if don't
# wish use snmp, set "0".
#
# note: on debian/linux, default 0 - need to
# set 3401 enable it.
#
#default:
# snmp_port 0

# tag: snmp_access
# allowing or denying access snmp port.
#
# access agent denied default.
# usage:
#
# snmp_access allow|deny [!]aclname ...
#
#example:
# snmp_access allow snmppublic localhost
# snmp_access deny all
#
#default:
# snmp_access deny all

# tag: snmp_incoming_address
# tag: snmp_outgoing_address
# 'udp_incoming_address' above, snmp port.
#
# snmp_incoming_address used snmp socket receiving
# messages snmp agents.
# snmp_outgoing_address used snmp packets returned snmp
# agents.
#
# default snmp_incoming_address (0.0.0.0) listen on all
# available network interfaces.
#
# if snmp_outgoing_address set 255.255.255.255 (the default)
# use same socket snmp_incoming_address. only
# change if want have snmp replies sent using another
# address squid listens snmp queries.
#
# note, snmp_incoming_address , snmp_outgoing_address can not have
# same value since both use port 3401.
#
#default:
# snmp_incoming_address 0.0.0.0
# snmp_outgoing_address 255.255.255.255


# icp options
# -----------------------------------------------------------------------------

# tag: icp_port
# port number squid sends , receives icp queries to
# , neighbor caches. default 3130. disable use
# "0". may overridden -u on command line.
#
#default:
# icp_port 3130

# tag: htcp_port
# port number squid sends , receives htcp queries to
# , neighbor caches. turn on want set 4827.
# default set "0" (disabled).
#
#default:
# htcp_port 0

# tag: log_icp_queries on|off
# if set, icp queries logged access.log. may wish
# disable if icp load high speed things
# or simplify log analysis.
#
#default:
# log_icp_queries on

# tag: udp_incoming_address
# udp_incoming_address used udp packets received other
# caches.
#
# default behavior not bind specific address.
#
# change if want have udp queries received on
# specific interface/address.
#
# note: udp_incoming_address used icp, htcp, , dns
# modules. altering affect of them in same manner.
#
# see also; udp_outgoing_address
#
# note, udp_incoming_address , udp_outgoing_address can not
# have same value since both use same port.
#
#default:
# udp_incoming_address 0.0.0.0

# tag: udp_outgoing_address
# udp_outgoing_address used udp packets sent out other
# caches.
#
# default behavior not bind specific address.
#
# instead use same socket udp_incoming_address.
# change if want have udp queries sent using another
# address squid listens udp queries other
# caches.
#
# note: udp_outgoing_address used icp, htcp, , dns
# modules. altering affect of them in same manner.
#
# see also; udp_incoming_address
#
# note, udp_incoming_address , udp_outgoing_address can not
# have same value since both use same port.
#
#default:
# udp_outgoing_address 255.255.255.255

# tag: icp_hit_stale on|off
# if want return icp_hit stale cache objects, set this
# option 'on'. if have sibling relationships caches
# in other administrative domains, should 'off'. if only
# have sibling relationships caches under control,
# okay set 'on'.
# if set 'on', siblings should use option "allow-miss"
# on cache_peer lines connecting you.
#
#default:
# icp_hit_stale off

# tag: minimum_direct_hops
# if using icmp pinging stuff, direct fetches sites
# no more many hops away.
#
#default:
# minimum_direct_hops 4

# tag: minimum_direct_rtt
# if using icmp pinging stuff, direct fetches sites
# no more many rtt milliseconds away.
#
#default:
# minimum_direct_rtt 400

# tag: netdb_low
# tag: netdb_high
# low , high water marks icmp measurement
# database. these counts, not percents. defaults are
# 900 , 1000. when high water mark reached, database
# entries deleted until low mark reached.
#
#default:
# netdb_low 900
# netdb_high 1000

# tag: netdb_ping_period
# minimum period measuring site. there at
# least delay between successive pings same
# network. default 5 minutes.
#
#default:
# netdb_ping_period 5 minutes

# tag: query_icmp on|off
# if want ask peers include icmp data in icp
# replies, enable option.
#
# if peer has configured squid (during compilation) with
# '--enable-icmp' peer send icmp pings origin server
# sites of urls receives. if enable option the
# icp replies peer include icmp data (if available).
# then, when choosing parent cache, squid choose parent with
# minimal rtt origin server. when happens, the
# hierarchy field of access.log be
# "closest_parent_miss". option off default.
#
#default:
# query_icmp off

# tag: test_reachability on|off
# when 'on', icp miss replies icp_miss_nofetch
# instead of icp_miss if target host not in icmp
# database, or has 0 rtt.
#
#default:
# test_reachability off

# tag: icp_query_timeout (msec)
# squid automatically determine optimal icp
# query timeout value based on round-trip-time of recent icp
# queries. if want override value determined by
# squid, set 'icp_query_timeout' non-zero value. this
# value specified in milliseconds, so, use 2-second
# timeout (the old default), write:
#
# icp_query_timeout 2000
#
#default:
# icp_query_timeout 0

# tag: maximum_icp_query_timeout (msec)
# icp query timeout determined dynamically. but
# can lead large values (say 5 seconds).
# use option put upper limit on dynamic timeout
# value. not use option use fixed (instead
# of dynamic) timeout value. set fixed timeout see the
# 'icp_query_timeout' directive.
#
#default:
# maximum_icp_query_timeout 2000

# tag: minimum_icp_query_timeout (msec)
# icp query timeout determined dynamically. but
# can lead small timeouts, lower than
# normal latency variance on link due traffic.
# use option put lower limit on dynamic timeout
# value. not use option use fixed (instead
# of dynamic) timeout value. set fixed timeout see the
# 'icp_query_timeout' directive.
#
#default:
# minimum_icp_query_timeout 5


# multicast icp options
# -----------------------------------------------------------------------------

# tag: mcast_groups
# tag specifies list of multicast groups server
# should join receive multicasted icp queries.
#
# note! careful put here! sure you
# understand difference between icp _query_ , icp
# _reply_. option set if want receive
# multicast queries. not set option send multicast
# icp (use cache_peer that). icp replies sent via
# unicast, option not affect whether or not will
# receive replies multicast group members.
#
# must careful not use multicast address which
# in use group of caches.
#
# if unsure multicast, please read multicast
# chapter in squid faq (http://www.squid-cache.org/faq/).
#
# usage: mcast_groups 239.128.16.128 224.0.1.20
#
# default, squid doesn't listen on multicast groups.
#
#default:
# none

# tag: mcast_miss_addr
# note: option available if squid rebuilt the
# --enable-multicast-miss option
#
# if enable option, every "cache miss" url will
# sent out on specified multicast address.
#
# not enable option unless are absolutely
# understand doing.
#
#default:
# mcast_miss_addr 255.255.255.255

# tag: mcast_miss_ttl
# note: option available if squid rebuilt the
# --enable-multicast-miss option
#
# time-to-live value packets multicasted
# when multicasting off cache miss urls enabled. by
# default set 'site scope', i.e. 16.
#
#default:
# mcast_miss_ttl 16

# tag: mcast_miss_port
# note: option available if squid rebuilt the
# --enable-multicast-miss option
#
# port number used in conjunction with
# 'mcast_miss_addr'.
#
#default:
# mcast_miss_port 3135

# tag: mcast_miss_encode_key
# note: option available if squid rebuilt the
# --enable-multicast-miss option
#
# urls sent in multicast miss stream are
# encrypted. encryption key.
#
#default:
# mcast_miss_encode_key xxxxxxxxxxxxxxxx

# tag: mcast_icp_query_timeout (msec)
# multicast peers, squid regularly sends out icp "probes" to
# count how many other peers listening on given multicast
# address. value specifies how long squid should wait to
# count replies. default 2000 msec, or 2
# seconds.
#
#default:
# mcast_icp_query_timeout 2000


# internal icon options
# -----------------------------------------------------------------------------

# tag: icon_directory
# icons stored. these kept in
# /usr/share/squid/icons
#
#default:
# icon_directory /usr/share/squid/icons

# tag: global_internal_static
# directive controls squid should intercept requests for
# /squid-internal-static/ no matter host url requesting
# (default on setting), or if nothing special should done for
# such urls (off setting). purpose of directive make
# icons etc work better in complex cache hierarchies may
# not possible corners in cache mesh reach
# server generating directory listing.
#
#default:
# global_internal_static on

# tag: short_icon_urls
# if enabled squid use short urls icons.
#
# if off urls icons absolute urls
# including proxy name , port.
#
#default:
# short_icon_urls off


# error page options
# -----------------------------------------------------------------------------

# tag: error_directory
# if wish create own versions of default
# (english) error files, either customize them suit your
# language or company copy template english files another
# directory , point tag @ them.
#
# squid developers interested in making squid available in
# wide variety of languages. if making translations a
# langauge squid not provide please consider
# contributing translation project.
#
#default:
# error_directory /usr/share/squid/errors/en

# tag: error_map
# map errors custom messages
#
# error_map message_url http_status ...
#
# http_status ... list of http status codes or squid error
# messages.
#
# use in accelerators substitute error messages returned
# servers other custom errors.
#
# error_map http://your.server/error/404.shtml 404
#
# requests error messages request configured
# url following special headers
#
# x-error-status: received http status code (i.e. 404)
# x-request-uri: requested uri error occurred
#
# in addition following headers forwarded client
# request:
#
# user-agent, cookie, x-forwarded-for, via, authorization,
# accept, referer
#
# , following headers server reply:
#
# server, via, location, content-location
#
# reply returned client carry original http
# headers real error message, reply body
# of configured error message.
#
#
#default:
# none

# tag: err_html_text
# html text include in error messages. make "mailto"
# url admin address, or maybe link your
# organizations web page.
#
# include in error messages, must rewrite
# error template files (found in "errors" directory).
# wherever want 'err_html_text' line appear,
# insert %l tag in error template file.
#
#default:
# none

# tag: deny_info
# usage: deny_info err_page_name acl
# or deny_info http://... acl
# example: deny_info err_custom_access_denied bad_guys
#
# can used return err_ page requests which
# not pass 'http_access' rules. squid remembers last
# acl evaluated in http_access, , if 'deny_info' line exists
# acl squid returns corresponding error page.
#
# acl typically last acl on http_access deny line which
# denied access. exceptions rule are:
# - when squid needs request authentication credentials. it's then
# first authentication related acl encountered
# - when none of http_access lines matches. it's last
# acl processed on last http_access line.
#
# may use err_ pages come squid or create own pages
# , put them configured errors/ directory.
#
# alternatively can specify error url. browsers will
# redirected (302) specified url. %s in redirection
# url replaced requested url.
#
# alternatively can tell squid reset tcp connection
# specifying tcp_reset.
#
#default:
# none


# options influencing request forwarding
# -----------------------------------------------------------------------------

# tag: nonhierarchical_direct
# default, squid send non-hierarchical requests
# (matching hierarchy_stoplist or not cacheable request type) direct
# origin servers.
#
# if set off, squid prefer send these
# requests parents.
#
# note in configurations, turning off only
# add latency these request without improvement in global hit
# ratio.
#
# if inside firewall see never_direct instead of
# directive.
#
#default:
# nonhierarchical_direct on

# tag: prefer_direct
# squid tries use parents requests. if some
# reason first try going direct , use parent if
# going direct fails set on.
#
# combining nonhierarchical_direct off , prefer_direct on you
# can set squid use parent backup path if going direct
# fails.
#
# note: if want squid use parents requests see
# never_direct directive. prefer_direct modifies how squid
# acts on cacheable requests.
#
#default:
# prefer_direct off

# tag: ignore_ims_on_miss on|off
# options makes squid ignore if-modified-since on
# cache misses. useful while cache is
# empty more have cache populated.
#
#default:
# ignore_ims_on_miss off

# tag: always_direct
# usage: always_direct allow|deny [!]aclname ...
#
# here can use acl elements specify requests should
# forwarded squid origin servers without using
# peers. example, directly forward requests for
# local servers ignoring parents or siblings may have use
# like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# forward ftp requests directly, use
#
# acl ftp proto ftp
# always_direct allow ftp
#
# note: there similar, opposite option named
# 'never_direct'. need aware "always_direct deny
# foo" not same thing "never_direct allow foo". you
# may need use deny rule exclude more-specific case of
# other rule. example:
#
# acl local-external dstdomain external.foo.net
# acl local-servers dstdomain .foo.net
# always_direct deny local-external
# always_direct allow local-servers
#
# note: if goal make client forward request
# directly origin server bypassing squid needs
# done in client configuration. squid configuration
# can tell squid how squid should fetch object.
#
# note: directive not related caching. replies
# cached usual if use always_direct. not cache
# replies see no_cache.
#
# option replaces v1.1 options such local_domain
# , local_ip.
#
#default:
# none

# tag: never_direct
# usage: never_direct allow|deny [!]aclname ...
#
# never_direct opposite of always_direct. please read
# description always_direct if have not already.
#
# 'never_direct' can use acl elements specify
# requests should never forwarded directly origin
# servers. example, force use of proxy all
# requests, except in local domain use like:
#
# acl local-servers dstdomain .foo.net
# acl src 0.0.0.0/0.0.0.0
# never_direct deny local-servers
# never_direct allow all
#
# or if squid inside firewall , there local intranet
# servers inside firewall use like:
#
# acl local-intranet dstdomain .foo.net
# acl local-external dstdomain external.foo.net
# always_direct deny local-external
# always_direct allow local-intranet
# never_direct allow all
#
# option replaces v1.1 options such inside_firewall
# , firewall_ip.
#
#default:
# none


# advanced networking options
# -----------------------------------------------------------------------------

# tag: max_filedescriptors
# maximum number of filedescriptors supported.
#
# default "0" means squid inherits current ulimit setting.
#
# note: changing requires restart of squid. also
# not comm loops supports values larger --with-maxfd.
#
#default:
# max_filedescriptors 0

# tag: accept_filter
# freebsd:
#
# name of accept(2) filter install on squid's
# listen socket(s). feature perhaps specific to
# freebsd , requires support in kernel.
#
# 'httpready' filter delays delivering new connections
# squid until full http request has been received.
# see accf_http(9) man page details.
#
# 'dataready' filter delays delivering new connections
# squid until there data process.
# see accf_dataready(9) man page details.
#
# linux:
#
# 'data' filter delays delivering of new connections
# squid until there data process tcp_accept_defer.
# may optionally specify number of seconds wait by
# 'data=n' n number of seconds. defaults 30
# if not specified. see tcp(7) man page details.
#example:
## freebsd
#accept_filter httpready
## linux
#accept_filter data
#
#default:
# none

# tag: tcp_recv_bufsize (bytes)
# size of receive buffer set tcp sockets. just
# easy change kernel's default. set 0 use
# default buffer size.
#
#default:
# tcp_recv_bufsize 0 bytes

# tag: incoming_rate
# directive controls how aggressive squid should accept new
# connections compared processing existing connections.
# lower number more frequent squid new
# incoming requests.
#
#default:
# incoming_rate 30


# dns options
# -----------------------------------------------------------------------------

# tag: check_hostnames
# security , stability reasons squid default checks
# hostnames internet standard rfc compliance. if not want
# squid perform these checks turn directive off.
#
#default:
# check_hostnames on

# tag: allow_underscore
# underscore characters not strictly allowed in internet hostnames
# nevertheless used many sites. set off if want
# squid strict standard.
# check performed when check_hostnames set on.
#
#default:
# allow_underscore on

# tag: cache_dns_program
# note: option available if squid rebuilt the
# --disable-internal-dns option
#
# specify location of executable dnslookup process.
#
#default:
# cache_dns_program /usr/lib/squid/dnsserver

# tag: dns_children
# note: option available if squid rebuilt the
# --disable-internal-dns option
#
# number of processes spawn service dns name lookups.
# heavily loaded caches on large servers, should
# increase value @ least 10. maximum
# 32. default 5.
#
# must have @ least 1 dnsserver process.
#
#default:
# dns_children 5

# tag: dns_retransmit_interval
# initial retransmit interval dns queries. interval is
# doubled each time configured dns servers have been tried.
#
#
#default:
# dns_retransmit_interval 5 seconds

# tag: dns_timeout
# dns query timeout. if no response received dns query
# within time dns servers queried domain
# assumed unavailable.
#
#default:
# dns_timeout 2 minutes

# tag: dns_defnames on|off
# res_defnames resolver option disabled
# (see res_init(3)). prevents caches in hierarchy
# interpreting single-component hostnames locally. allow
# squid handle single-component names, enable option.
#
#default:
# dns_defnames off

# tag: dns_nameservers
# use if want specify list of dns name servers
# (ip addresses) use instead of given in your
# /etc/resolv.conf file.
# on windows platforms, if no value specified here or in
# /etc/resolv.conf file, list of dns name servers are
# taken windows registry, both static , dynamic dhcp
# configurations supported.
#
# example: dns_nameservers 10.0.0.1 192.172.0.4
#
#default:
# none

# tag: hosts_file
# location of host-local ip name-address associations
# database. operating systems have such file on different
# default locations:
# - un*x & linux: /etc/hosts
# - windows nt/2000: %systemroot%\system32\drivers\etc\hosts
# (%systemroot% value install default c:\winnt)
# - windows xp/2003: %systemroot%\system32\drivers\etc\hosts
# (%systemroot% value install default c:\windows)
# - windows 9x/me: %windir%\hosts
# (%windir% value c:\windows)
# - cygwin: /etc/hosts
#
# file contains newline-separated definitions, in the
# form ip_address_in_dotted_form name [name ...] names are
# whitespace-separated. lines beginning hash (#)
# character comments.
#
# file checked @ startup , upon configuration.
# if set 'none', won't checked.
# if append_domain used, domain added to
# domain-local (i.e. not containing dot character) host
# definitions.
#
#default:
# hosts_file /etc/hosts
#
hosts_file /etc/hosts

# tag: dns_testnames
# dns tests exit first site looked up
#
# test can disabled -d command line option.
#
#default:
# dns_testnames netscape.com internic.net nlanr.net microsoft.com

# tag: append_domain
# appends local domain name hostnames without dots in
# them. append_domain must begin period.
#
# warned there internet names no dots in
# them using top-domain names, setting may
# cause internet sites become unavailable.
#
#example:
# append_domain .yourdomain.com
#
#default:
# none

# tag: ignore_unknown_nameservers
# default squid checks dns responses received
# same ip addresses sent to. if they
# don't match, squid ignores response , writes warning
# message cache.log. can allow responses unknown
# nameservers setting option 'off'.
#
#default:
# ignore_unknown_nameservers on

# tag: ipcache_size (number of entries)
# tag: ipcache_low (percent)
# tag: ipcache_high (percent)
# size, low-, , high-water marks ip cache.
#
#default:
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95

# tag: fqdncache_size (number of entries)
# maximum number of fqdn cache entries.
#
#default:
# fqdncache_size 1024


# miscellaneous
# -----------------------------------------------------------------------------

# tag: memory_pools on|off
# if set, squid keep pools of allocated (but unused) memory
# available future use. if memory premium on your
# system , believe malloc library outperforms squid
# routines, disable this.
#
#default:
# memory_pools on

# tag: memory_pools_limit (bytes)
# used memory_pools on:
# memory_pools_limit 50 mb
#
# if set non-zero value, squid keep @ specified
# limit of allocated (but unused) memory in memory pools. free()
# requests exceed limit handled malloc
# library. squid not pre-allocate memory, safe-keeps
# objects otherwise free()d. thus, safe set
# memory_pools_limit reasonably high value if your
# configuration use less memory.
#
# if set zero, squid keep memory can. is, there
# no limit on total amount of memory used safe-keeping.
#
# disable memory allocation optimization, not set
# memory_pools_limit 0. set memory_pools "off" instead.
#
# overhead maintaining memory pools not taken account
# when limit checked. overhead close 4 bytes per
# object kept. however, pools may _save_ memory because of
# reduced memory thrashing in malloc library.
#
#default:
# memory_pools_limit 5 mb

# tag: forwarded_for on|off
# if set, squid include system's ip address or name
# in http requests forwards. default looks like
# this:
#
# x-forwarded-for: 192.1.2.3
#
# if disable this, appear as
#
# x-forwarded-for: unknown
#
#default:
# forwarded_for on

# tag: cachemgr_passwd
# specify passwords cachemgr operations.
#
# usage: cachemgr_passwd password action action ...
#
# valid actions (see cache manager menu full list):
# 5min
# 60min
# asndb
# authenticator
# cbdata
# client_list
# comm_incoming
# config *
# counters
# delay
# digest_stats
# dns
# events
# filedescriptors
# fqdncache
# histograms
# http_headers
# info
# io
# ipcache
# mem
# menu
# netdb
# non_peers
# objects
# offline_toggle *
# pconn
# peer_select
# reconfigure *
# redirector
# refresh
# server_list
# shutdown *
# store_digest
# storedir
# utilization
# via_headers
# vm_objects
#
# * indicates actions not performed without a
# valid password, others can performed if not listed here.
#
# disable action, set password "disable".
# allow performing action without password, set the
# password "none".
#
# use keyword "all" set same password actions.
#
#example:
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
#
#default:
# none

# tag: client_db on|off
# if want disable collecting per-client statistics,
# turn off client_db here.
#
#default:
# client_db on

# tag: reload_into_ims on|off
# when enable option, client no-cache or ``reload''
# requests changed if-modified-since requests.
# doing violates http standard. enabling this
# feature make liable problems it
# causes.
#
# see refresh_pattern more selective approach.
#
#default:
# reload_into_ims off

# tag: maximum_single_addr_tries
# sets maximum number of connection attempts a
# host has 1 address (for multiple-address hosts,
# each address tried once).
#
# default value 1 attempt, (not recommended)
# maximum 255 tries. warning message generated
# if set value greater ten.
#
# note: in addition request re-forwarding which
# takes place if squid fails satisfying response.
#
#default:
# maximum_single_addr_tries 1

# tag: retry_on_error
# if set on squid automatically retry requests when
# receiving error response. useful if you
# in complex cache hierarchy work around access
# control errors.
#
#default:
# retry_on_error off

# tag: as_whois_server
# whois server query numbers. note: numbers are
# queried when squid starts up, not every request.
#
#default:
# as_whois_server whois.ra.net
# as_whois_server whois.ra.net

# tag: offline_mode
# enable option , squid never try validate cached
# objects.
#
#default:
# offline_mode off

# tag: uri_whitespace
# requests have whitespace characters in the
# uri. options:
#
# strip: whitespace characters stripped out of url.
# behavior recommended rfc2396.
# deny: request denied. user receives "invalid
# request" message.
# allow: request allowed , uri not changed. the
# whitespace characters remain in uri. note the
# whitespace passed redirector processes if they
# in use.
# encode: request allowed , whitespace characters are
# encoded according rfc1738. considered
# violation of http/1.1
# rfc because proxies not allowed rewrite uri's.
# chop: request allowed , uri chopped @ the
# first whitespace. might considered a
# violation.
#
#default:
# uri_whitespace strip

# tag: coredump_dir
# default squid leaves core files in directory where
# started. if set 'coredump_dir' directory
# exists, squid chdir() directory @ startup
# , coredump files left there.
#
#default:
# coredump_dir none
#
# leave coredumps in first cache dir
coredump_dir /var/spool/squid

# tag: chroot
# use have squid chroot() while initializing. this
# causes squid drop root privileges after
# initializing. means, example, if use http
# port less 1024 , try reconfigure, may an
# error saying squid can not open port.
#
#default:
# none

# tag: balance_on_multiple_ip
# load balancing servers based on round robin dns have been
# found not preserve user session state across requests
# different ip addresses.
#
# default squid rotates ip's per request. disabling
# directive connection failure triggers rotation.
#
#default:
# balance_on_multiple_ip on

# tag: pipeline_prefetch
# boost performance of pipelined requests closer
# match of non-proxied environment squid can try fetch
# 2 requests in parallel pipeline.
#
# defaults off bandwidth management , access logging
# reasons.
#
#default:
# pipeline_prefetch off

# tag: high_response_time_warning (msec)
# if one-minute median response time exceeds value,
# squid prints warning debug level 0 the
# administrators attention. value in milliseconds.
#
#default:
# high_response_time_warning 0

# tag: high_page_fault_warning
# if one-minute average page fault rate exceeds this
# value, squid prints warning debug level 0 get
# administrators attention. value in page faults
# per second.
#
#default:
# high_page_fault_warning 0

# tag: high_memory_warning
# if memory usage (as determined mallinfo) exceeds
# amount, squid prints warning debug level 0 get
# administrators attention.
#
#default:
# high_memory_warning 0 kb

# tag: sleep_after_fork (microseconds)
# when set non-zero value, main squid process
# sleeps specified number of microseconds after fork()
# system call. sleep may situation your
# system reports fork() failures due lack of (virtual)
# memory. note, however, if have lot of child
# processes, these sleep delays add , your
# squid not service requests amount of time
# until child processes have been started.
# on windows value less 1000 (1 milliseconds) are
# rounded 1000.
#
#default:
# sleep_after_fork 0

# tag: zero_buffers on|off
# squid default 0 buffers before using or reusing them.
# setting 'off' result in fixed-sized temporary buffers
# not being zero'ed. may give performance boost on certain
# platforms may result in undefined behaviour @ present
# time.
#
#default:
# zero_buffers on

# tag: windows_ipaddrchangemonitor on|off
# on windows squid default monitor ip address changes , will
# reconfigure after detected event. useful for
# proxies connected internet dial-up interfaces.
# in cases (a proxy server acting vpn gateway one) be
# desiderable disable behaviour setting 'off'.
# note: after changing this, squid service must restarted.
#
#default:
# windows_ipaddrchangemonitor on

code:
acl localnet src 10.8.0.0/24 # rfc1918 possible internal network  acl localnet src 172.16.0.0/12 # rfc1918 possible internal network  acl localnet src 192.168.0.0/16 # rfc1918 possible internal network
first, need use different names each of these acl's, "localnet10", "localnet172", , "localnet192". need corresponding http_access directives enable each 1 this:

code:
http_access allow localnet10  http_access allow localnet172  http_access allow localnet192
these must appear before default "http_access deny all" directive.

also, next time post configuration file, please strip comments out , wrap resulting content in [code] tags. strip comments, use this:

code:
grep -v '^#' /etc/squid/squid.conf > /home/me/squid.txt
then post contents of squid.txt.


Forum The Ubuntu Forum Community Ubuntu Specialised Support Ubuntu Servers, Cloud and Juju Server Platforms [ubuntu] My Squid does not work:Requested URL can't be retrieved


Ubuntu

Comments

Post a Comment

Popular posts from this blog

How to change text Component easybook reloaded *newbee* - Joomla! Forum - community, help and support

-
Image
hi all, i started building websites joomla not long ago, can use help.. for got problem guestbook. i have installed easybook. , running on following website http://odoorn321.nl/ (under gastenboek) i want change text: waardering website (is dutch valuate website) waardering. idea rid of word website, because have valuate vacation home, not website. i have made screenshot of text want change. where , how going find css file change text? your appreciated! thanks no one? Board index Joomla! Older Version Support Joomla! 2.5 General Questions/New to Joomla! 2.5
Read more

After Effect warning: A problem occurred when processing OpenGL commands

-
i have after effects cs6 in computer cs5.5 installed. 64bit windows 7 ultimate 20gb memory , 2 amd radeon hd 6900 series display adapters drivers updated hour ago (driver date 27.7.2012, version 8.982.0.0).   when trying use after ecffects, error message " after effect warning: problem occurred when processing opengl commands " when clicking composition window.   what done? not much, i'm afraid. need older graphics driver. other disable second card or play configuration. unfortunately not smart person decided cs6 no longer need manual opengl control user, there's no way suppress within program force-revert software-only modes in case of such issues...   mylenium More discussions in After Effects adobe
Read more

Preconditions Failed. - Joomla! Forum - community, help and support

-
hello! i'm having problem; every time click save&close button, or save button, or close button module; following message appears: "precondition failed the precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request." it happens modules. thanks in advance. problem description :: forum post assistant (v1.2.3) : 13th november 2012 wrote: can\'t save changes or close module. log/error message :: forum post assistant (v1.2.3) : 13th november 2012 wrote: precondition failed precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request. last php error(s) reported :: forum post assistant (v1.2.3) : 13th november 2012 wrote: [04-mar-2012 01:25:56] php fatal error: call member function get() on non-object in /home/joommmy1/addon/youngstaer/sub/teenace/public_html/templates/...
Read more