Squid 2.4 Stable1
Configuration Manual
 

 
Previous
Table of Contents
Next

MISCELLANEOUS


Tag Name

dns_testnames

Usage

dns_testnames URL

Description

The DNS tests exit as soon as the first site is successfully looked up

To disable DNS tests, not to comment out or delete this list. Instead use the -D command line option

Default

dns_testnames netscape.com internic.net nlanr.net microsoft.com

Example

-

Caution

-


Tag Name

logfile_rotate

Usage

logfile_rotate NUMBER

Description

This defines the class of each delay pool. There must be exactly one delay_class line for each delay pool. For example, to define two delay pools; one of class 2 and one of class 3, the settings will be like as given in the example. For details on the delay pool classes see Glossary. This option is only available if Squid is rebuilt with the --enable-delaypools option

Default

logfile_rotate 10

Example

logfile_rotate 5

Caution

Note, the 'squid -k rotate' command normally sends a USR1 signal to the running squid process. In certain situations (e.g. on Linux with Async I/O), USR1 is used for other purposes; so -k rotate uses another signal. It is best to get in the habit of using 'squid -k rotate' instead of 'kill -USR1 '


Tag Name

append_domain

Usage

append_domain domainname

Description

Appends local domain name to hostnames without any dotsin them. append_domain must begin with a period.

Default

none

Example

append_domain .yourdomain.com

Caution

-


Tag Name

tcp_recv_bufsize

Usage

tcp_recv_bufsize (bytes)

Description

Size of receive buffer to set for TCP sockets. Probablyjust as easy to change your kernel's default.

Default

Set to zero to use the default buffer size. By default, this is set to zero means it is using kernel’s default. tcp_recv_bufsize0 bytes

Example

-

Caution

-


Tag Name

err_html_text

Usage

err_html_text text

Description

HTML text to include in error messages. Make this a "mailto" URL to your admin address, or maybe just a link to your organizations Web page.

To include this in your error messages, you must rewrite the errortemplate files (found in the "$prefix/etc/errors" directory). Whereveryou want the 'err_html_text' line to appear, insert a %L tag in theerror template file

Default

none

Example

err_html_text venkatesh@visolve.com
Consider you want to display this mailId when access denied error occurs, then edit corresponding file (ERR_ACCESS_DENIED in “$prefix/etc/errors” directory) with %L where this mailId should be displayed

Caution

-


Tag Name


deny_info


Usage

deny_info err_page_name acl

Description

This can be used to return an ERR_ page for requests, which do not pass the 'http_access' rules. A single ACL will cause the http_access check to fail. If a 'deny_info' line exists for that ACL then Squid returns a corresponding error page.

You may use ERR_ pages that come with Squid or create your own pages and put them into the configured errors/ directory

Default

none

Example

If you want to deny domain “deny.com” and want to display access denied message specifically, add these lines in conf. And add the file called ERR_CUSTOM_ACCESS_DENIED in $prefix/etc/errors/ directory with your own format.

acl DSTDOMAIN dstdomain .deny.com http_access deny DSTDOMAIN http_access allow all deny_info ERR_CUSTOM_ACCESS_DENIED DSTDOMAIN

So now if users try to browse “deny.com”, they will get your defined error message

Caution

-


Tag Name

memory_pools

Usage

memory_pools on|off

Description

If set, Squid will keep pools of allocated (but unused) memory available for future use. If memory is a premium on your system andyou believe your malloc library outperforms Squid routines, disablethis.

Default

memory_pools off

Example

-

Caution

-


Tag Name

memory_pools_limit

Usage

memory_pools_limit (bytes)

Description

If set to a non-zero value, Squid will keep at most the specified limit of allocated (but unused) memory in memory pools. Allfree() requests that exceed this limit will be handled by your malloclibrary. Squiddoes not pre-allocate any memory, just safe-keeps objectsthat otherwisewould be free()d. Thus,it is safe to set memory_pools_limitto a reasonablyhigh value even if yourconfiguration will use lessmemory.

If not set (default) or set to zero, Squid will keep all memory it can. That is, there will be no limit on the total amount of memory used forsafe-keeping.

Default

none
By default, memory_pools is not set. So there is no default value for memory_pools_limit

Example

-

Caution

Used only with memory_pools on:
To disable memory allocation optimization, do not set memory_pools_limit to 0. Set memory_pools to "off" instead. An overhead for maintaining memory pools is not taken into account when the limit is checked. This overhead is close to four bytes per object kept. However, pools may actually _save_ memory because of reduced memory thrashing in yourmalloc library


Tag Name

forwarded_for

Usage

forwarded_for on|off

Description

Current HTTP/1.1 does not provide any standard way of indicating the client address in the request. Since a number of people missedhaving the originating client address in the request, Squid now addsits own request header called "X-Forwarded-For" which looks like this:
X-Forwarded-For: 192.1.2.3|unknown

If set, Squid will include your system's IP address or name in theHTTP requests it forwards. By default it looks like this:
X-Forwarded-For: 192.1.2.3

If you disable this, it will appear as
X-Forwarded-For: unknown

Default

forwarded_for on

Example

-

Caution

-


Tag Name

log_icp_queries

Usage

log_icp_queries on|off

Description

If set, ICP queries are logged to access.log. You may wish do disable this if your ICP load is very high to speed things up or to simplify log analysis

Default

log_icp_queries on

Example

-

Caution

-


Tag Name


icp_hit_stale


Usage

icp_hit_stale on|off

Description

If you want to return ICP_HIT for stale cache objects, set this option to 'on'. If you have sibling relationships with cachesin other administrative domains, this should be 'off'. If you onlyhave sibling relationships with caches under your control, then itis probably okay to set this to 'on'

Default

icp_hit_stale off

Example

-

Caution

-


Tag Name

minimum_direct_hops

Usage

minimum_direct_hops NUMBER

Description

If using the ICMP pinging stuff, do direct fetches for sites which are no more than this many hops away. This parameter plays arole in deciding latency

Default

minimum_direct_hops 4

Example

-

Caution

-


Tag Name

minimum_direct_rtt

Usage

minimum_direct_rtt time-units

Description

This is the port number to be used in conjunction with 'mcast_miss_addr'. This option is only available if Squid is rebuilt with the -DMULTICAST_MISS_TTL option

Default

minimum_direct_rtt 400

Example

-

Caution

-


Tag Name

cachemgr_passwd

Usage

cachemgr_passwd password action action ...

Description


This tag is used to specify passwords for cachemgr operations. Some valid actions are (see cache manager menu for a full list):

5min
60min
asndb
authenticator
cbdata
client_list
comm_incoming
config *
counters
delay
digest_stats
dns
events
filedescriptors
fqdncache
histograms
http_headers
info
io
ipcache
mem
menu
netdb
non_peers
objects
pconn
peer_select
redirector
refresh
server_list
shutdown *
store_digest
storedir
utilization
via_headers
vm_objects

* Indicates actions which will not be performed without a valid password, others can be performed if not listed here.

To disable an action, set the password to "disable".

To allow performing an action without a password, set the password to "none".

Use the keyword "all" to set the same password for all actions.

cachemgr_passwd secret shutdown
cachemgr_passwd lesssssssecret info stats/objects
cachemgr_passwd disable all


Default

none

Example

-

Caution

-


Tag Name

store_avg_object_size

Usage

store_avg_object_size (kbytes)

Description

Average object size, used to estimate number of objectsyour cache can hold.
To Estimate the number of objects your cache can hold:
NUM_OBJ = cache_swap / store_avg_object_size
Cache_swap is size of the cache

Default

The default is 13 KB.
store_avg_object_size 13 KB

Example

-

Caution

-


Tag Name

store_objects_per_bucket

Usage

store_objects_per_bucket (kbytes)

Description


Target number of objects per bucket in the store hashtable. Lowering this value increases the total number of bucketsand also the storage maintenance rate. Then we estimate the numberof hashbuckets needed:
NUM_BUCKETS = NUM_OBJ / store_objects_per_bucket
NUM_OBJ is the number of objects your cache can hold, estimated by store_avg_object_size.


Default


store_objects_per_bucket 50


Example

-

Caution

-


Tag Name

client_db

Usage

client_db on|off

Description


If you want to disable collecting per-client statistics, then turn off client_db here


Default


client_db on


Example

-

Caution

-


Tag Name

netdb_low
netdb_high

Usage

netdb_low entries
netdb_high entries

Description


The low and high water marks for the ICMP measurementdatabase. These are counts, not percents. The defaults are 900 and1000. When the high water mark is reached, database entries willbe deleted until the low mark is reached


Default

netdb_low 900
netdb_high 1000

Example

-

Caution

-


Tag Name

netdb_ping_period

Usage

netdb_ping_period time-units

Description


The minimum period for measuring a site. There will be at least this much delay between successive pings to the same network


Default

netdb_ping_period 5 minutes

Example

-

Caution

-


Tag Name

query_icmp

Usage

query_icmp on|off

Description


If you want to ask your peers to include ICMP data intheir ICP replies, enable this option. If your peer has configuredSquid (during compilation) with '--enable-icmp' then that peer willsend ICMP pings to origin server sites of the URLs it receives. Ifyouenable this option then the ICP replies from that peer will includethe ICMP data (if available). Then, when choosing a parent cache,Squid will choose the parent with the minimal RTT to the origin server.Whenthis happens, the hierarchy field of the access.log will be "CLOSEST_PARENT_MISS ".


Default


query_icmp off


Example

-

Caution

-


Tag Name

test_reachability

Usage

test_reachability on|off

Description


When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH instead of ICP_MISS if the target host is NOT in the ICMP database, or has a zero RTT


Default


test_reachability off


Example

-

Caution

-


Tag Name

buffered_logs

Usage

buffered_logs on|off

Description


Some log files (cache.log , useragent.log) are written with stdio functions, and as such they can be buffered or unbuffered. By default they will be unbuffered. Buffering them can speed up the writing slightly (though you are unlikely to need to worry).


Default


buffered_logs off


Example

-

Caution

-


Tag Name

reload_into_ims

Usage

reload_into_ims on|off

Description


When you enable this option, client no-cache or ``reload'' requests will be changed to If-Modified-Since requests. Doing this VIOLATES the HTTP standard. Enabling this feature could make youliable for problems, which it causes.

See also refresh_pattern for a more selective approach.

This option may be disabled by using --disable-http-violations with the configure script. reload_into_ims off


Default


reload_into_ims off


Example

-

Caution

-


Tag Name

always_direct

Usage

always_direct allow|deny [!]aclname ...

Description


Here you can use ACL elements to specify requests, which should ALWAYS be forwarded directly to origin servers. This is mostly used while using cache_peer. See also never_direct .


Default


always_direct is by default deny.     


Example

For example, to always directly forward requests for local serversuse something like:
acl local-servers dstdomain .my.domain.net
always_direct allow local-servers

To always forward FTP requests directly, use
acl FTP proto FTP
always_direct allow FTP

Example for denying specific domain
acl local-external dstdomain .external.foo.net
acl local-servers dstdomain .foo.net
always_direct deny local-external
always_direct allow local-servers

Caution

There is a similar, but opposite option named ' never_direct'. You need to be aware that "always_direct deny foo" is NOT the same thing as "never_directallow foo". You may need to use a deny rule to exclude a more-specificcase of some other rule


Tag Name

never_direct

Usage

never_direct allow|deny [!]aclname ...

Description


never_direct is the opposite of always_direct. Pleaseread the description for always_direct if you have not already.

With 'never_direct' you can use ACL elements to specify requests, whichshould NEVER be forwarded directly to origin servers

When always_direct and never_direct are deny (By default), Squid selectsbased on the request type and a number of other factors if a parent shouldbe used or not, and if a parent could not be reached it will always fallback on direct.

If always_direct is allow then Squid will always go direct to the sourcewithout concidering any peers.

If never_direct is allow then Squid will never attempt to go direct to the source. Instead it tries very hard to find a parent to send the request to. If no parent can be found then an error is returned


Default


never_direct is by default deny.        


Example

For example, to force the use of a proxy for all requests, except those in your local domain use something like:

acl local-servers dstdomain foo.net
acl all src 0.0.0.0/0.0.0.0
never_direct deny local-servers
never_direct allow all

or if squid is inside a firewall and there is local intranet servers inside the firewall then use something like:

acl local-intranet dstdomain .foo.net
acl local-external dstdomain .external.foo.net
always_direct deny local-external
always_direct allow local-intranet
never_direct allow all

Caution

It will be better to understand always_direct before enabling this tag


Tag Name

anonymize_headers

Usage

anonymize_headers allow|deny header_name ...

Description


This option replaces the old 'http_anonymizer' optionwith something that is much more configurable. You may now specifyexactly which headers are to be allowed, or which are to be removedfrom outgoing requests.

There are two methods of using this option. You may either allowspecific headers (thus denying all others), or you may deny specificheaders (thus allowing all others).

For example, to achieve the same behavior as the old 'http_anonymizer standard' option, you should use:

anonymize_headers deny From Referer Server
anonymize_headers deny User-Agent WWW-Authenticate Link

Or, to reproduce the old 'http_anonymizer paranoid' feature you should use:

anonymize_headers allow Allow Authorization Cache-Control
anonymize_headers allow Content-Encoding Content-Length
anonymize_headers allow Content-Type Date Expires Host
anonymize_headers allow If-Modified-Since Last-Modified
anonymize_headers allow Location Pragma Accept
anonymize_headers allow Accept-Encoding Accept-Language
anonymize_headers allow Content-Language Mime-Version
anonymize_headers allow Retry-After Title Connection
anonymize_headers allow Proxy-Connection


Default

By default, all headers are allowed (no anonymizing is performed).

Example

-

Caution

You cannot mix "allow" and "deny". All 'anonymize_headers' lines must have the same second argument


Tag Name

fake_user_agent

Usage

fake_user_agent String

Description


If you filter the User-Agent header with ' anonymize_headers' it may cause some Web servers to refuse your request. Use this to fake one up.


Default


fake_user_agent none


Example

fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)

Caution

-


Tag Name

icon_directory

Usage

icon_directory directorypath/directoryname

Description


This tag is to specify the location where the icons are stored


Default


These are normally kept in /usr/local/squid/etc/icons


Example

icon_directory /etc/icons

Caution

-


Tag Name

error_directory

Usage

error_directory directorypath/directoryname

Description


If you wish to create your own versions of the default (English) error files, either to customize them to suit your language or company, copy the template English files to another directoryand point this tag at them


Default


These are normally kept in /usr/local/squid/etc/errors


Example

icon_directory /etc/errors

Caution

-


Tag Name

minimum_retry_timeout

Usage

minimum_retry_timeout (seconds)

Description


This specifies the minimum connect timeout, when the connect timeout is reduced to compensate for the availability of multiple IP addresses. When a connection to a host is initiated, and thathost has several IP addresses, the default connection timeout isreduced by dividing it by the number of addresses. So, a site with15 addresses would then have a timeout of 8 seconds for each addressattempted. To avoid having the timeout reduced to the point whereeven a working host would not have a chance to respond, this settingis provided


Default

The default, and the minimum value, is five seconds, and the maximum value is sixty seconds, or half of connect_timeout, whichever is greater and lessthan connect_timeout. minimum_retry_timeout 5 seconds

Example

-

Caution

-


Tag Name

maximum_single_addr_tries

Usage

maximum_single_addr_tries NUMBER

Description


This sets the maximum number of connection attempts for a host that only has one address (for multiple-address hosts, each address is tried once)


Default

The default value is three tries, the (not recommended) maximum is 255 tries.
maximum_single_addr_tries 3

Example

-

Caution

A warning message will be generated if it is set to a value greater than ten


Tag Name

snmp_port

Usage

snmp_port port

Description


Squid can now serve statistics and status informationvia SNMP. If you don't wish to use SNMP, set this to "0".


Default

By default it listens to port 3401 on the machine.
snmp_port 3401

Example

-

Caution

SNMP support requires use of the --enable-snmp configure command line option


Tag Name

snmp_access

Usage

snmp_access allow|deny [!]aclname ...

Description


Allowing or denying access to the SNMP port. This option is only available if Squid is rebuilt with the --enable-snmp option


Default


All access to the agent is denied by default.


Example

snmp_access allow snmppublic localhost
snmp_access deny all

Caution

-


Tag Name

snmp_incoming_address
snmp_outgoing_address

Usage

snmp_incoming_address IPAddress
snmp_outgoing_address IPAddress

Description


Just like 'udp_incoming_address' above, but for the SNMP port. This option is only available if Squid is rebuilt with the--enable-snmp option

snmp_incoming_address is used for the SNMP socket receiving messages from SNMP agents.
snmp_outgoing_address is used for SNMP packets returned to SNMP agents. See also snmp_port


Default

The default behavior is to not bind to any specific address.
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255

Example

snmp_incoming_address 172.16.1.115
snmp_outgoing_address 172.16.1.114

Caution

snmp_incoming_address and snmp_outgoing_address cannot have the same value since they both use port 3130.


Tag Name

as_whois_server

Usage

as_whois_server Server-Name

Description


WHOIS server to query for AS numbers. NOTE: AS numbers are queried only when Squid starts up, not for every request


Default


as_whois_server whois.ra.net


Example

-

Caution

-


Tag Name

wccp_router

Usage

wccp_router Router-IPAddress

Description


This option is used to define the WCCP ``home'' router for Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) disables WCCP


Default


wccp_router 0.0.0.0


Example

-

Caution

-


Tag Name

wccp_version

Usage

wccp_version Version

Description


According to some users, Cisco IOS 11.2 only supportsWCCP version 3. If you're using that version of IOS, change thisvalueto 3


Default


wccp_version 4


Example

-

Caution

-


Tag Name

wccp_incoming_address

Usage

wccp_incoming_address IPAddress

Description


Use this option if you require WCCP messages to be received on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface


Default

The default behavior is to not bind to any specific address
wccp_incoming_address 0.0.0.0

Example

-

Caution

wccp_incoming_address and wccp_outgoing_address cannot have the same value since they both use port 2048.


Tag Name

wccp_outgoing_address

Usage

wccp_outgoing_address IPAddress

Description


Use this option if you require WCCP messages to be sent out on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface


Default

The default behavior is to not bind to any specific address
wccp_outgoing_address 255.255.255.255

Example

-

Caution

wccp_incoming_address and wccp_outgoing_address cannot have the same value since they both use port 2048.