Squid (squid.conf)
Categoria: Miscelânea
Software: Squid
[ Hits: 4.165 ]
Por: Paulo Cesar
Este arquivo mostra como configurar o Squid sem logs e com cache em outro diretorio, e ainda com uma acl para evitar a passagem por ele do msn com o hotmail.
# WELCOME TO SQUID 2 # ------------------ # # This is the default Squid configuration file. You may wish # to look at the Squid home page (http://www.squid-cache.org/) # for the FAQ and other documentation. # # The default Squid config file shows what the defaults for # various options happen to be. If you don't need to change the # default, you shouldn't uncomment the line. Doing so may cause # run-time problems. In some cases "none" refers to no default # setting at all, while in other cases it refers to a valid # option - the comments for that keyword indicate if this is the # case. # # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # # If you run Squid on a dual-homed machine with an internal # and an external interface then we recommend you to specify the # internal address:port in http_port. This way Squid will only be # visible on the internal address. # #Default: # http_port 3128 # TAG: https_port # Note: This option is only available if Squid is rebuilt with the # --enable-ssl option # # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] # # The socket address where Squid will listen for HTTPS client # requests. # # This is really only useful for situations where you are running # squid in accelerator mode and you want to do the SSL work at the # accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # # Options: # # cert= Path to SSL certificate (PEM format) # # key= Path to SSL private key file (PEM format) # if not specified, the certificate file is # assumed to be a combined certificate and # key file # # version= The version of SSL/TLS supported # 1 automatic (default) # 2 SSLv2 only # 3 SSLv3 only # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers # # options= Varions SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 # See src/ssl_support.c or OpenSSL documentation # for a more complete list. # #Default: # none # TAG: ssl_unclean_shutdown # Note: This option is only available if Squid is rebuilt with the # --enable-ssl option # # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. # #Default: # ssl_unclean_shutdown off # TAG: icp_port # The port number where Squid sends and receives ICP queries to # and from neighbor caches. Default is 3130. To disable use # "0". May be overridden with -u on the command line. # #Default: # icp_port 3130 # TAG: htcp_port # Note: This option is only available if Squid is rebuilt with the # --enable-htcp option # # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. Default is 4827. To disable use # "0". # #Default: # htcp_port 4827 # TAG: mcast_groups # This tag specifies a list of multicast groups which your server # should join to receive multicasted ICP queries. # # NOTE! Be very careful what you put here! Be sure you # understand the difference between an ICP _query_ and an ICP # _reply_. This option is to be set only if you want to RECEIVE # multicast queries. Do NOT set this option to SEND multicast # ICP (use cache_peer for that). ICP replies are always sent via # unicast, so this option does not affect whether or not you will # receive replies from multicast group members. # # You must be very careful to NOT use a multicast address which # is already in use by another group of caches. # # If you are unsure about multicast, please read the Multicast # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). # # Usage: mcast_groups 239.128.16.128 224.0.1.20 # # By default, Squid doesn't listen on any multicast groups. # #Default: # none # TAG: udp_incoming_address # TAG: udp_outgoing_address # udp_incoming_address is used for the ICP socket receiving packets # from other caches. # udp_outgoing_address is used for ICP packets sent out to other # caches. # # The default behavior is to not bind to any specific address. # # A udp_incoming_address value of 0.0.0.0 indicates that Squid should # listen for UDP messages on all available interfaces. # # If udp_outgoing_address is set to 255.255.255.255 (the default) # then it will use the same socket as udp_incoming_address. Only # change this if you want to have ICP queries sent using another # address than where this Squid listens for ICP queries from other # caches. # # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use port 3130. # #Default: # udp_incoming_address 0.0.0.0 # udp_outgoing_address 255.255.255.255 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- # TAG: cache_peer # To specify other caches in a hierarchy, use the format: # # cache_peer hostname type http_port icp_port # # For example, # # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 [proxy-only] # cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] # # type: either 'parent', 'sibling', or 'multicast'. # # proxy_port: The port number where the cache listens for proxy # requests. # # icp_port: Used for querying neighbor caches about # objects. To have a non-ICP neighbor # specify '7' for the ICP port and make sure the # neighbor machine has the UDP echo port # enabled in its /etc/inetd.conf file. # # options: proxy-only # weight=n # ttl=n # no-query # default # round-robin # multicast-responder # closest-only # no-digest # no-netdb-exchange # no-delay # login=user:password | PASS | *:password # connect-timeout=nn # digest-url=url # allow-miss # max-conn # # use 'proxy-only' to specify that objects fetched # from this cache should not be saved locally. # # use 'weight=n' to specify a weighted parent. # The weight must be an integer. The default weight # is 1, larger weights are favored more. # # use 'ttl=n' to specify a IP multicast TTL to use # when sending an ICP queries to this address. # Only useful when sending to a multicast group. # Because we don't accept ICP replies from random # hosts, you must configure other group members as # peers with the 'multicast-responder' option below. # # use 'no-query' to NOT send ICP queries to this # neighbor. # # use 'default' if this is a parent cache which can # be used as a "last-resort." You should probably # only use 'default' in situations where you cannot # use ICP with your parent cache(s). # # use 'round-robin' to define a set of parents which # should be used in a round-robin fashion in the # absence of any ICP queries. # # 'multicast-responder' indicates that the named peer # is a member of a multicast group. ICP queries will # not be sent directly to the peer, but ICP replies # will be accepted from it. # # 'closest-only' indicates that, for ICP_OP_MISS # replies, we'll only forward CLOSEST_PARENT_MISSes # and never FIRST_PARENT_MISSes. # # use 'no-digest' to NOT request cache digests from # this neighbor. # # 'no-netdb-exchange' disables requesting ICMP # RTT database (NetDB) from the neighbor. # # use 'no-delay' to prevent access to this neighbor # from influencing the delay pools. # # use 'login=user:password' if this is a personal/workgroup # proxy and your parent requires proxy authentication. # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means that % must be written as %%. # # use 'login=PASS' if users must authenticate against # the upstream proxy. This will pass the users credentials # as they are to the peer proxy. This only works for the # Basic HTTP authentication sheme. Note: To combine this # with proxy_auth both proxies must share the same user # database as HTTP only allows for one proxy login. # Also be warned that this will expose your users proxy # password to the peer. USE WITH CAUTION # # use 'login=*:password' to pass the username to the # upstream cache, but with a fixed password. This is meant # to be used when the peer is in another administrative # domain, but it is still needed to identify each user. # The star can optionally be followed by some extra # information which is added to the username. This can # be used to identify this proxy to the peer, similar to # the login=username:password option above. # # use 'connect-timeout=nn' to specify a peer # specific connect timeout (also see the # peer_connect_timeout directive) # # use 'digest-url=url' to tell Squid to fetch the cache # digest (if digests are enabled) for this host from # the specified URL rather than the Squid default # location. # # use 'allow-miss' to disable Squid's use of only-if-cached # when forwarding requests to siblings. This is primarily # useful when icp_hit_stale is used by the sibling. To # extensive use of this option may result in forwarding # loops, and you should avoid having two-way peerings # with this option. (for example to deny peer usage on # requests from peer by denying cache_peer_access if the # source is a peer) # # use 'max-conn' to limit the amount of connections Squid # may open to this peer. # # NOTE: non-ICP neighbors must be specified as 'parent'. # #Default: # none # TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be # queried. Usage: # # cache_peer_domain cache-host domain [domain ...] # cache_peer_domain cache-host !domain # # For example, specifying # # cache_peer_domain parent.foo.net .edu # # has the effect such that UDP query packets are sent to # 'bigserver' only when the requested object exists on a # server in the .edu domain. Prefixing the domainname # with '!' means that the cache will be queried for objects # NOT in that domain. # # NOTE: * Any number of domains may be given for a cache-host, # either on the same or separate lines. # * When multiple domains are given for a particular # cache-host, the first matched domain is applied. # * Cache hosts with no domain restrictions are queried # for all requests. # * There are no defaults. # * There is also a 'cache_peer_access' tag in the ACL # section. # #Default: # none # TAG: neighbor_type_domain # usage: neighbor_type_domain parent|sibling domain domain ... # # Modifying the neighbor type for specific domains is now # possible. You can treat some domains differently than the the # default neighbor type specified on the 'cache_peer' line. # Normally it should only be necessary to list domains which # should be treated differently because the default neighbor type # applies for hostnames which do not match domains listed here. # #EXAMPLE: # cache_peer parent cache.foo.org 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de # #Default: # none # TAG: icp_query_timeout (msec) # Normally Squid will automatically determine an optimal ICP # query timeout value based on the round-trip-time of recent ICP # queries. If you want to override the value determined by # Squid, set this 'icp_query_timeout' to a non-zero value. This # value is specified in MILLISECONDS, so, to use a 2-second # timeout (the old default), you would write: # # icp_query_timeout 2000 # #Default: # icp_query_timeout 0 # TAG: maximum_icp_query_timeout (msec) # Normally the ICP query timeout is determined dynamically. But # sometimes it can lead to very large values (say 5 seconds). # Use this option to put an upper limit on the dynamic timeout # value. Do NOT use this option to always use a fixed (instead # of a dynamic) timeout value. To set a fixed timeout see the # 'icp_query_timeout' directive. # #Default: # maximum_icp_query_timeout 2000 # TAG: mcast_icp_query_timeout (msec) # For Multicast peers, Squid regularly sends out ICP "probes" to # count how many other peers are listening on the given multicast # address. This value specifies how long Squid should wait to # count all the replies. The default is 2000 msec, or 2 # seconds. # #Default: # mcast_icp_query_timeout 2000 # TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache # as "dead." If there are no ICP replies received in this # amount of time, Squid will declare the peer dead and not # expect to receive any further ICP replies. However, it # continues to send ICP queries, and will mark the peer as # alive upon receipt of the first subsequent ICP reply. # # This timeout also affects when Squid expects to receive ICP # replies from peers. If more than 'dead_peer' seconds have # passed since the last ICP reply was received, Squid will not # expect to receive an ICP reply on the next query. Thus, if # your time between requests is greater than this timeout, you # will see a lot of requests sent DIRECT to origin servers # instead of to your parents. # #Default: # dead_peer_timeout 10 seconds # TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # TAG: no_cache # A list of ACL elements which, if matched, cause the request to # not be satisfied from the cache and the reply to not be cached. # In other words, use this to force certain objects to never be cached. # # You must use the word 'DENY' to indicate the ACL names which should # NOT be cached. # #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZE # ----------------------------------------------------------------------------- # TAG: cache_mem (bytes) # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. # # 'cache_mem' specifies the ideal amount of memory to be used # for: # * In-Transit objects # * Hot Objects # * Negative-Cached objects # # Data for these objects are stored in 4 KB blocks. This # parameter specifies the ideal upper limit on the total size of # 4 KB blocks allocated. In-Transit objects take the highest # priority. # # In-transit objects have priority over the others. When # additional space is needed for incoming data, negative-cached # and hot objects will be released. In other words, the # negative-cached and hot objects will fill up any unused space # not needed for in-transit objects. # # If circumstances require, this limit will be exceeded. # Specifically, if your incoming request rate requires more than # 'cache_mem' of memory to hold in-transit objects, Squid will # exceed this limit to satisfy the new requests. When the load # decreases, blocks will be freed until the high-water mark is # reached. Thereafter, blocks will be used to store hot # objects. # #Default: # cache_mem 8 MB # TAG: cache_swap_low (percent, 0-100) # TAG: cache_swap_high (percent, 0-100) # # The low- and high-water marks for cache object replacement. # Replacement begins when the swap (disk) usage is above the # low-water mark and attempts to maintain utilization near the # low-water mark. As swap utilization gets close to high-water # mark object eviction becomes more aggressive. If utilization is # close to the low-water mark less replacement is done each time. # # Defaults are 90% and 95%. If you have a large cache, 5% could be # hundreds of MB. If this is the case you may wish to set these # numbers closer together. # #Default: # cache_swap_low 90 # cache_swap_high 95 # TAG: maximum_object_size (bytes) # Objects larger than this size will NOT be saved on disk. The # value is specified in kilobytes, and the default is 4MB. If # you wish to get a high BYTES hit ratio, you should probably # increase this (one 32 MB object hit counts for 3200 10KB # hits). If you wish to increase speed more than your want to # save bandwidth you should leave this low. # # NOTE: if using the LFUDA replacement policy you should increase # this value to maximize the byte hit rate improvement of LFUDA! # See replacement_policy below for a discussion of this policy. # #Default: # maximum_object_size 4096 KB # TAG: minimum_object_size (bytes) # Objects smaller than this size will NOT be saved on disk. The # value is specified in kilobytes, and the default is 0 KB, which # means there is no minimum. # #Default: # minimum_object_size 0 KB # TAG: maximum_object_size_in_memory (bytes) # Objects greater than this size will not be attempted to kept in # the memory cache. This should be set high enough to keep objects # accessed frequently in memory to improve performance whilst low # enough to keep larger objects from hoarding cache_mem . # #Default: # maximum_object_size_in_memory 8 KB # TAG: ipcache_size (number of entries) # TAG: ipcache_low (percent) # TAG: ipcache_high (percent) # The size, low-, and high-water marks for the IP cache. # #Default: # ipcache_size 1024 # ipcache_low 90 # ipcache_high 95 # TAG: fqdncache_size (number of entries) # Maximum number of FQDN cache entries. # #Default: # fqdncache_size 1024 # TAG: cache_replacement_policy # The cache replacement policy parameter determines which # objects are evicted (replaced) when disk space is needed. # # lru : Squid's original list based LRU policy # heap GDSF : Greedy-Dual Size Frequency # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # # Applies to any cache_dir lines listed below this. # # The LRU policies keeps recently referenced objects. # # The heap GDSF policy optimizes object hit rate by keeping smaller # popular objects in cache so it has a better chance of getting a # hit. It achieves a lower byte hit rate than LFUDA though since # it evicts larger (possibly popular) objects. # # The heap LFUDA policy keeps popular objects in cache regardless of # their size and thus optimizes byte hit rate at the expense of # hit rate since one large, popular object will prevent many # smaller, slightly less popular objects from being cached. # # Both policies utilize a dynamic aging mechanism that prevents # cache pollution that can otherwise occur with frequency-based # replacement policies. # # NOTE: if using the LFUDA replacement policy you should increase # the value of maximum_object_size above its default of 4096 KB to # to maximize the potential byte hit rate improvement of LFUDA. # # For more information about the GDSF and LFUDA cache replacement # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. # #Default: # cache_replacement_policy lru # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # # See cache_replacement_policy for details. # #Default: # memory_replacement_policy lru # LOGFILE PATHNAMES AND CACHE DIRECTORIES # ----------------------------------------------------------------------------- # TAG: cache_dir # Usage: # # cache_dir Type Directory-Name Fs-specific-data [options] # # cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2 # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. # # Type specifies the kind of storage system to use. Only "ufs" # is built by default. To eanble any of the other storage systems # see the --enable-storeio configure option. # # 'Directory' is a top-level directory where cache swap # files will be stored. If you want to use an entire disk # for caching, then this can be the mount-point directory. # The directory must exist and be writable by the Squid # process. Squid will NOT create this directory for you. # # The ufs store type: # # "ufs" is the old well-known Squid storage format that has always # been there. # # cache_dir ufs Directory-Name Mbytes L1 L2 [options] # # 'Mbytes' is the amount of disk space (MB) to use under this # directory. The default is 100 MB. Change this to suit your # configuration. # # 'Level-1' is the number of first-level subdirectories which # will be created under the 'Directory'. The default is 16. # # 'Level-2' is the number of second-level subdirectories which # will be created under each first-level directory. The default # is 256. # # The aufs store type: # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # # cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # see argument descriptions under ufs above # # The diskd store type: # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # # see argument descriptions under ufs above # # Q1 specifies the number of unacknowledged I/O requests when Squid # stops opening new files. If this many messages are in the queues, # Squid won't open new files. Default is 64 # # Q2 specifies the number of unacknowledged messages when Squid # starts blocking. If this many messages are in the queues, # Squid blocks until it recevies some replies. Default is 72 # # Common options: # # read-only, this cache_dir is read only. # # max-size=n, refers to the max object size this storedir supports. # It is used to initially choose the storedir to dump the object. # Note: To make optimal use of the max-size limits you should order # the cache_dir lines with the smallest max-size value first and the # ones with no max-size specification last. # #Default: cache_dir ufs /squid/var/cache 2700 16 256 # TAG: cache_access_log # Logs the client request activity. Contains an entry for # every HTTP and ICP queries received. To disable, enter "none". # #Default: # cache_access_log /squid/var/logs/access.log cache_access_log /dev/null # TAG: cache_log # Cache logging file. This is where general information about # your cache's behavior goes. You can increase the amount of data # logged to this file with the "debug_options" tag below. # #Default: # cache_log /squid/var/logs/cache.log cache_log /dev/null # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are # saved and for how long. To disable, enter "none". There are # not really utilities to analyze this data, so you can safely # disable it. # #Default: cache_store_log /squid/var/logs/store.log cache_store_log /dev/null # TAG: cache_swap_log # Location for the cache "swap.log." This log file holds the # metadata of objects saved on disk. It is used to rebuild the # cache during startup. Normally this file resides in each # 'cache_dir' directory, but you may specify an alternate # pathname here. Note you must give a full filename, not just # a directory. Since this is the index for the whole object # list you CANNOT periodically rotate it! # # If %s can be used in the file name then it will be replaced with a # a representation of the cache_dir name where each / is replaced # with '.'. This is needed to allow adding/removing cache_dir # lines when cache_swap_log is being used. # # If have more than one 'cache_dir', and %s is not used in the name # then these swap logs will have names such as: # # cache_swap_log.00 # cache_swap_log.01 # cache_swap_log.02 # # The numbered extension (which is added automatically) # corresponds to the order of the 'cache_dir' lines in this # configuration file. If you change the order of the 'cache_dir' # lines in this file, then these log files will NOT correspond to # the correct 'cache_dir' entry (unless you manually rename # them). We recommend that you do NOT use this option. It is # better to keep these log files in each 'cache_dir' directory. # #Default: # none # TAG: emulate_httpd_log on|off # The Cache can emulate the log file format which many 'httpd' # programs use. To disable/enable this emulation, set # emulate_httpd_log to 'off' or 'on'. The default # is to use the native log format since it includes useful # information that Squid-specific log analyzers use. # #Default: # emulate_httpd_log off # TAG: log_ip_on_direct on|off # Log the destination IP address in the hierarchy log tag when going # direct. Earlier Squid versions logged the hostname here. If you # prefer the old way set this to off. # #Default: # log_ip_on_direct on # TAG: mime_table # Pathname to Squid's MIME table. You shouldn't need to change # this, but the default file contains examples and formatting # information if you do. # #Default: # mime_table /usr/local/squid/etc/mime.conf # TAG: log_mime_hdrs on|off # The Cache can record both the request and the response MIME # headers for each HTTP transaction. The headers are encoded # safely and will appear as two bracketed fields at the end of # the access log (for either the native or httpd-emulated log # formats). To enable this logging set log_mime_hdrs to 'on'. # #Default: # log_mime_hdrs off # TAG: useragent_log # Note: This option is only available if Squid is rebuilt with the # --enable-useragent-log option # # Squid will write the User-Agent field from HTTP requests # to the filename specified here. By default useragent_log # is disabled. # #Default: # none # TAG: referer_log # Note: This option is only available if Squid is rebuilt with the # --enable-referer-log option # # Squid will write the Referer field from HTTP requests to the # filename specified here. By default referer_log is disabled. # #Default: # none # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". # #Default: # pid_filename /usr/local/squid/var/logs/squid.pid # TAG: debug_options # Logging options are set as section,level where each source file # is assigned a unique section. Lower levels result in less # output, Full debugging (level 9) can result in a very large # log file, so be careful. The magic word "ALL" sets debugging # levels for all sections. We recommend normally running with # "ALL,1". # #Default: # debug_options ALL,1 # TAG: log_fqdn on|off # Turn this on if you wish to log fully qualified domain names # in the access.log. To do this Squid does a DNS lookup of all # IP's connecting to it. This can (in some situations) increase # latency, which makes your cache seem slower for interactive # browsing. # #Default: # log_fqdn off # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. # #Default: # client_netmask 255.255.255.255 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ----------------------------------------------------------------------------- # TAG: ftp_user # If you want the anonymous login password to be more informative # (and enable the use of picky ftp servers), set this to something # reasonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is that the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. # Some ftp server also validate that the email address is valid # (for example perl.com). # #Default: # ftp_user Squid@ # TAG: ftp_list_width # Sets the width of ftp listings. This should be set to fit in # the width of a standard browser. Setting this too small # can cut off long filenames when browsing ftp sites. # #Default: # ftp_list_width 32 # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, then turn off this option. # #Default: # ftp_passive on # TAG: ftp_sanitycheck # For security and data integrity reasons Squid by default performs # sanity checks of the addresses of FTP data connections ensure the # data connection is to the requested server. If you need to allow # FTP connections to servers using another IP address for the data # connection then turn this off. # #Default: # ftp_sanitycheck on # TAG: cache_dns_program # Note: This option is only available if Squid is rebuilt with the # --disable-internal-dns option # # Specify the location of the executable for dnslookup process. # #Default: # cache_dns_program /usr/local/squid/libexec/ # TAG: dns_children # Note: This option is only available if Squid is rebuilt with the # --disable-internal-dns option # # The number of processes spawn to service DNS name lookups. # For heavily loaded caches on large servers, you should # probably increase this value to at least 10. The maximum # is 32. The default is 5. # # You must have at least one dnsserver process. # #Default: # dns_children 5 # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. # # #Default: # dns_retransmit_interval 5 seconds # TAG: dns_timeout # DNS Query timeout. If no response is received to a DNS query # within this time then all DNS servers for the queried domain # is assumed to be unavailable. # #Default: # dns_timeout 5 minutes # TAG: dns_defnames on|off # Note: This option is only available if Squid is rebuilt with the # --disable-internal-dns option # # Normally the 'dnsserver' disables the RES_DEFNAMES resolver # option (see res_init(3)). This prevents caches in a hierarchy # from interpreting single-component hostnames locally. To allow # dnsserver to handle single-component names, enable this # option. # #Default: # dns_defnames off # TAG: dns_nameservers # Use this if you want to specify a list of DNS name servers # (IP addresses) to use instead of those given in your # /etc/resolv.conf file. # On Windows platforms, if no value is specified here or in # the /etc/resolv.conf file, the list of DNS name servers are # taken from the Windows registry, both static and dynamic DHCP # configurations are supported. # # Example: dns_nameservers 10.0.0.1 192.172.0.4 # #Default: # none # TAG: hosts_file # Location of the host-local IP name-address associations # database. Most Operating Systems have such a file: under # Un*X it's by default in /etc/hosts MS-Windows NT/2000 places # that in %SystemRoot%(by default # c:\winnt)\system32\drivers\etc\hosts, while Windows 9x/ME # places that in %windir%(usually c:\windows)\hosts # # The file contains newline-separated definitions, in the # form ip_address_in_dotted_form name [name ...] names are # whitespace-separated. lines beginnng with an hash (#) # character are comments. # # The file is checked at startup and upon configuration. If # set to 'none', it won't be checked. If append_domain is # used, that domain will be added to domain-local (i.e. not # containing any dot character) host definitions. # #Default: # hosts_file /etc/hosts # TAG: diskd_program # Specify the location of the diskd executable. # Note that this is only useful if you have compiled in # diskd as one of the store io modules. # #Default: # diskd_program /usr/local/squid/libexec/ # TAG: unlinkd_program # Specify the location of the executable for file deletion process. # #Default: # unlinkd_program /usr/local/squid/libexec/unlinkd # TAG: pinger_program # Note: This option is only available if Squid is rebuilt with the # --enable-icmp option # # Specify the location of the executable for the pinger process. # #Default: # pinger_program /usr/local/squid/libexec/ # TAG: redirect_program # Specify the location of the executable for the URL redirector. # Since they can perform almost any function there isn't one included. # See the FAQ (section 15) for information on how to write one. # By default, a redirector is not used. # #Default: # none # TAG: redirect_children # The number of redirector processes to spawn. If you start # too few Squid will have to wait for them to process a backlog of # URLs, slowing it down. If you start too many they will use RAM # and other system resources. # #Default: # redirect_children 5 # TAG: redirect_rewrites_host_header # By default Squid rewrites any Host: header in redirected # requests. If you are running an accelerator then this may # not be a wanted effect of a redirector. # #Default: # redirect_rewrites_host_header on # TAG: redirector_access # If defined, this access list specifies which requests are # sent to the redirector processes. By default all requests # are sent. # #Default: # none # TAG: auth_param # This is used to pass parameters to the various authentication # schemes. # format: auth_param scheme parameter [setting] # # auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd # would tell the basic authentication scheme it's program parameter. # # The order that authentication prompts are presented to the client_agent # is dependant on the order the scheme first appears in config file. # IE has a bug (it's not rfc 2617 compliant) in that it will use the basic # scheme if basic is the first entry presented, even if more secure schemes # are presented. For now use the order in the file below. If other browsers # have difficulties (don't recognise the schemes offered even if you are using # basic) then either put basic first, or disable the other schemes (by commenting # out their program entry). # # Once an authentication scheme is fully configured, it can only be shutdown # by shutting squid down and restarting. Changes can be made on the fly and # activated with a reconfigure. I.E. You can change to a different helper, # but not unconfigure the helper completely. # # === Parameters for the basic scheme follow. === # # "program" cmdline # Specify the command for the external authenticator. Such a # program reads a line containing "username password" and replies # "OK" or "ERR" in an endless loop. If you use an authenticator, # make sure you have 1 acl of type proxy_auth. By default, the # authenticate_program is not used. # # If you want to use the traditional proxy authentication, # jump over to the ../auth_modules/NCSA directory and # type: # % make # % make install # # Then, set this line to something like # # auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of usercode/password verifications, slowing # it down. When password verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # auth_param basic children 5 # # "realm" realmstring # Specifies the realm name which is to be reported to the # client for the basic proxy authentication scheme (part of # the text the user will see when prompted their username and # password). There is no default. # auth_param basic realm Squid proxy-caching web server # # "credentialsttl" timetolive # Specifies how long squid assumes an externally validated # username:password pair is valid for - in other words how # often the helper program is called for that user. Set this # low to force revalidation with short lived passwords. Note # that setting this high does not impact your susceptability # to replay attacks unless you are using an one-time password # system (such as SecureID). If you are using such a system, # you will be vulnerable to replay attacks unless you also # enable the IP ttl is strict option. # # === Parameters for the digest scheme follow === # # "program" cmdline # Specify the command for the external authenticator. Such # a program reads a line containing "username":"realm" and # replies with the appropriate H(A1) value base64 encoded. # See rfc 2616 for the definition of H(A1). If you use an # authenticator, make sure you have 1 acl of type proxy_auth. # By default, authentication is not used. # # If you want to use build an authenticator, # jump over to the ../digest_auth_modules directory and choose the # authenticator to use. It it's directory type # % make # % make install # # Then, set this line to something like # # auth_param digest program /usr/local/squid/bin/digest_auth_pw /usr/local/squid/etc/digpass # # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of H(A1) calculations, slowing it down. # When the H(A1) calculations are done via a (slow) network # you are likely to need lots of authenticator processes. # auth_param digest children 5 # # "realm" realmstring # Specifies the realm name which is to be reported to the # client for the digest proxy authentication scheme (part of # the text the user will see when prompted their username and # password). There is no default. # auth_param digest realm Squid proxy-caching web server # # "nonce_garbage_interval" timeinterval # Specifies the interval that nonces that have been issued # to client_agent's are checked for validity. # # "nonce_max_duration" timeinterval # Specifies the maximum length of time a given nonce will be # valid for. # # "nonce_max_count" number # Specifies the maximum number of times a given nonce can be # used. # # "nonce_strictness" on|off # Determines if squid requires increment-by-1 behaviour for # nonce counts (on - the default), or strictly incrementing # (off - for use when useragents generate nonce counts that # occasionally miss 1 (ie, 1,2,4,6)). # # === NTLM scheme options follow === # # "program" cmdline # Specify the command for the external ntlm authenticator. # Such a program reads a line containing the uuencoded NEGOTIATE # and replies with the ntlm CHALLENGE, then waits for the # response and answers with "OK" or "ERR" in an endless loop. # If you use an ntlm authenticator, make sure you have 1 acl # of type proxy_auth. By default, the ntlm authenticator_program # is not used. # # auth_param ntlm program /usr/local/squid/bin/ntlm_auth # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it # down. When crendential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # auth_param ntlm children 5 # # "max_challenge_reuses" number # The maximum number of times a challenge given by a ntlm # authentication helper can be reused. Increasing this number # increases your exposure to replay attacks on your network. # 0 means use the challenge only once. (disable challenge # caching) See max_ntlm_challenge_lifetime for more information. # auth_param ntlm max_challenge_reuses 0 # # "max_challenge_lifetime" timespan # The maximum time period that a ntlm challenge is reused # over. The actual period will be the minimum of this time # AND the number of reused challenges. # auth_param ntlm max_challenge_lifetime 2 minutes # #Recommended minimum configuration: #auth_param digest program <uncomment and complete this line> #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 #auth_param ntlm program <uncomment and complete this line to activate> #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program <uncomment and complete this line> auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours # TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the # username cache. This is a tradeoff between memory utilisation # (long intervals - say 2 days) and CPU (short intervals - # say 1 minute). Only change if you have good reason to. # #Default: # authenticate_cache_garbage_interval 1 hour # TAG: authenticate_ttl # The time a user & their credentials stay in the logged in # user cache since their last request. When the garbage # interval passes, all user credentials that have passed their # TTL are removed from memory. # #Default: # authenticate_ttl 1 hour # TAG: authenticate_ip_ttl # With this option you control how long a proxy authentication # will be bound to a specific IP address. If a request using # the same user name is received during this time then access # will be denied and both users are required to reauthenticate # them selves. The idea behind this is to make it annoying # for people to share their password to their friends, but # yet allow a dialup user to reconnect on a different dialup # port. # # The default is 0 to disable the check. Recommended value # if you have dialup users are no more than 60 seconds to allow # the user to redial without hassle. If all your users are # stationary then higher values may be used. # # See also the acl max_user_ip. The max_user_ip acl replaces # the authenticate_ip_ttl_is_strict option found in earlier # Squid versions. # #Default: # authenticate_ip_ttl 0 seconds # TAG: external_acl_type # This option defines external acl classes using a helper program # to look up the status # # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] # # Options: # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) # concurrency=n Concurrency level / number of processes spawn # to service external acl lookups of this type. # cache=n result cache size, 0 is unbounded (default) # # FORMAT specifications # # %LOGIN Authenticated user login name # %IDENT Ident user name # %SRC Client IP # %DST Requested host # %PROTO Requested protocol # %PORT Requested port # %METHOD Request method # %{Header} HTTP request header # %{Hdr:member} HTTP request header list member # %{Hdr:;member} # HTTP request header list member using ; as # list separator. ; can be any non-alphanumeric # character. # # In addition, any string specified in the referencing acl will # also be included in the helper request line, after the specified # formats (see the "acl external" directive) # # The helper receives lines per the above format specification, # and returns lines starting with OK or ERR indicating the validity # of the request and optionally followed by additional keywords with # more details. # # General result syntax: # # OK/ERR keyword=value ... # # Defined keywords: # # user= The users name (login) # error= Error description (only defined for ERR results) # # Keyword values need to be enclosed in quotes if they may contain # whitespace, or the whitespace escaped using \. Any quotes or \ # characters within the keyword value must be \ escaped. # #Default: # none # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- # TAG: wais_relay_host # TAG: wais_relay_port # Relay WAIS request to host (1st arg) at port (2 arg). # #Default: # wais_relay_port 0 # TAG: request_header_max_size (KB) # This specifies the maximum size for HTTP headers in a request. # Request headers are usually relatively small (about 512 bytes). # Placing a limit on the request header size will catch certain # bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. # #Default: # request_header_max_size 10 KB # TAG: request_body_max_size (KB) # This specifies the maximum size for an HTTP request body. # In other words, the maximum size of a PUT/POST request. # A user who attempts to send a request with a body larger # than this limit receives an "Invalid Request" error message. # If you set this parameter to a zero (the default), there will # be no limit imposed. # #Default: # request_body_max_size 0 KB # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] # # By default, regular expressions are CASE-SENSITIVE. To make # them case-insensitive, use the -i option. # # 'Min' is the time (in minutes) an object without an explicit # expiry time should be considered fresh. The recommended # value is 0, any higher values may cause dynamic applications # to be erroneously cached unless the application designer # has taken the appropriate actions. # # 'Percent' is a percentage of the objects age (time since last # modification age) an object without explicit expiry time # will be considered fresh. # # 'Max' is an upper limit on how long objects without an explicit # expiry time will be considered fresh. # # options: override-expire # override-lastmod # reload-into-ims # ignore-reload # # override-expire enforces min age even if the server # sent a Expires: header. Doing this VIOLATES the HTTP # standard. Enabling this feature could make you liable # for problems which it causes. # # override-lastmod enforces min age even on objects # that was modified recently. # # reload-into-ims changes client no-cache or ``reload'' # to If-Modified-Since requests. Doing this VIOLATES the # HTTP standard. Enabling this feature could make you # liable for problems which it causes. # # ignore-reload ignores a client no-cache or ``reload'' # header. Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which # it causes. # # Please see the file doc/Release-Notes-1.1.txt for a full # description of Squid's refresh algorithm. Basically a # cached object is: (the order is changed from 1.1.X) # # FRESH if expires < now, else STALE # STALE if age > max # FRESH if lm-factor < percent, else STALE # FRESH if age < min # else STALE # # The refresh_pattern lines are checked in the order listed here. # The first entry which matches is used. If none of the entries # match, then the default will be used. # # Note, you must uncomment all the default lines if you want # to change one. The default setting is only active if none is # used. # #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # TAG: quick_abort_min (KB) # TAG: quick_abort_max (KB) # TAG: quick_abort_pct (percent) # The cache by default continues downloading aborted requests # which are almost completed (less than 16 KB remaining). This # may be undesirable on slow (e.g. SLIP) links and/or very busy # caches. Impatient users may tie up file descriptors and # bandwidth by repeatedly requesting and immediately aborting # downloads. # # When the user aborts a request, Squid will check the # quick_abort values to the amount of data transfered until # then. # # If the transfer has less than 'quick_abort_min' KB remaining, # it will finish the retrieval. # # If the transfer has more than 'quick_abort_max' KB remaining, # it will abort the retrieval. # # If more than 'quick_abort_pct' of the transfer has completed, # it will finish the retrieval. # # If you do not want any retrieval to continue after the client # has aborted, set both 'quick_abort_min' and 'quick_abort_max' # to '0 KB'. # # If you want retrievals to always continue if they are being # cached then set 'quick_abort_min' to '-1 KB'. # #Default: # quick_abort_min 16 KB # quick_abort_max 16 KB # quick_abort_pct 95 # TAG: negative_ttl time-units # Time-to-Live (TTL) for failed requests. Certain types of # failures (such as "connection refused" and "404 Not Found") are # negatively-cached for a configurable amount of time. The # default is 5 minutes. Note that this is different from # negative caching of DNS lookups. # #Default: # negative_ttl 5 minutes # TAG: positive_dns_ttl time-units # Time-to-Live (TTL) for positive caching of successful DNS lookups. # Default is 6 hours (360 minutes). If you want to minimize the # use of Squid's ipcache, set this to 1, not 0. # #Default: # positive_dns_ttl 6 hours # TAG: negative_dns_ttl time-units # Time-to-Live (TTL) for negative caching of failed DNS lookups. # #Default: # negative_dns_ttl 5 minutes # TAG: range_offset_limit (bytes) # Sets a upper limit on how far into the the file a Range request # may be to cause Squid to prefetch the whole file. If beyond this # limit then Squid forwards the Range request as it is and the result # is NOT cached. # # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. # # A value of -1 causes Squid to always fetch the object from the # beginning so that it may cache the result. (2.0 style) # # A value of 0 causes Squid to never fetch more than the # client requested. (default) # #Default: # range_offset_limit 0 KB # TIMEOUTS # ----------------------------------------------------------------------------- # TAG: connect_timeout time-units # Some systems (notably Linux) can not be relied upon to properly # time out connect(2) requests. Therefore the Squid process # enforces its own timeout on server connections. This parameter # specifies how long to wait for the connect to complete. The # default is two minutes (120 seconds). # #Default: # connect_timeout 2 minutes # TAG: peer_connect_timeout time-units # This parameter specifies how long to wait for a pending TCP # connection to a peer cache. The default is 30 seconds. You # may also set different timeout values for individual neighbors # with the 'connect-timeout' option on a 'cache_peer' line. # #Default: # peer_connect_timeout 30 seconds # TAG: read_timeout time-units # The read_timeout is applied on server-side connections. After # each successful read(), the timeout will be extended by this # amount. If no data is read again after this amount of time, # the request is aborted and logged with ERR_READ_TIMEOUT. The # default is 15 minutes. # #Default: # read_timeout 15 minutes # TAG: request_timeout # How long to wait for an HTTP request after initial # connection establishment. # #Default: # request_timeout 5 minutes # TAG: persistent_request_timeout # How long to wait for the next HTTP request on a persistent # connection after the previous request completes. # #Default: # persistent_request_timeout 1 minute # TAG: client_lifetime time-units # The maximum amount of time that a client (browser) is allowed to # remain connected to the cache process. This protects the Cache # from having a lot of sockets (and hence file descriptors) tied up # in a CLOSE_WAIT state from remote clients that go away without # properly shutting down (either because of a network failure or # because of a poor client implementation). The default is one # day, 1440 minutes. # # NOTE: The default value is intended to be much larger than any # client would ever need to be connected to your cache. You # should probably change client_lifetime only as a last resort. # If you seem to have many client connections tying up # filedescriptors, we recommend first tuning the read_timeout, # request_timeout, persistent_request_timeout and quick_abort values. # #Default: # client_lifetime 1 day # TAG: half_closed_clients # Some clients may shutdown the sending side of their TCP # connections, while leaving their receiving sides open. Sometimes, # Squid can not tell the difference between a half-closed and a # fully-closed TCP connection. By default, half-closed client # connections are kept open until a read(2) or write(2) on the # socket returns an error. Change this option to 'off' and Squid # will immediately close client connections when read(2) returns # "no more data to read." # #Default: # half_closed_clients on # TAG: pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. # #Default: # pconn_timeout 120 seconds # TAG: ident_timeout # Maximum time to wait for IDENT lookups to complete. # # If this is too high, and you enabled IDENT lookups from untrusted # users, then you might be susceptible to denial-of-service by having # many ident requests going at once. # #Default: # ident_timeout 10 seconds # TAG: shutdown_lifetime time-units # When SIGTERM or SIGHUP is received, the cache is put into # "shutdown pending" mode until all active sockets are closed. # This value is the lifetime to set for all open descriptors # during shutdown mode. Any active clients after this many # seconds will receive a 'timeout' message. # #Default: # shutdown_lifetime 30 seconds # ACCESS CONTROLS # ----------------------------------------------------------------------------- # TAG: acl # Defining an Access List # # acl aclname acltype string1 ... # acl aclname acltype "file" ... # # when using "file", the file should contain one item per line # # acltype is one of the types described below # # By default, regular expressions are CASE-SENSITIVE. To make # them case-insensitive, use the -i option. # # acl aclname src ip-address/netmask ... (clients IP address) # acl aclname src addr1-addr2/netmask ... (range of addresses) # acl aclname dst ip-address/netmask ... (URL host's IP address) # acl aclname myip ip-address/netmask ... (local socket IP address) # # acl aclname srcdomain .foo.com ... # reverse lookup, client IP # acl aclname dstdomain .foo.com ... # Destination server from URL # acl aclname srcdom_regex [-i] xxx ... # regex matching client name # acl aclname dstdom_regex [-i] xxx ... # regex matching server # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # # based URL is used. The name "none" is used if the reverse lookup # # fails. # # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 # acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL # acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path # acl aclname port 80 70 21 ... # acl aclname port 0-1024 ... # ranges allowed # acl aclname myport 3128 ... # (local socket TCP port) # acl aclname proto HTTP FTP ... # acl aclname method GET POST ... # acl aclname browser [-i] regexp ... # # pattern match on User-Agent header # acl aclname referer_regex [-i] regexp ... # # pattern match on Referer header # # Referer is highly unreliable, so use with care # acl aclname ident username ... # acl aclname ident_regex [-i] pattern ... # # string match on ident output. # # use REQUIRED to accept any non-null ident. # acl aclname src_as number ... # acl aclname dst_as number ... # # Except for access control, AS numbers can be used for # # routing of requests to specific caches. Here's an # # example for routing all requests for AS#1241 and only # # those to mycache.mydomain.net: # # acl asexample dst_as 1241 # # cache_peer_access mycache.mydomain.net allow asexample # # cache_peer_access mycache_mydomain.net deny all # # acl aclname proxy_auth username ... # acl aclname proxy_auth_regex [-i] pattern ... # # list of valid usernames # # use REQUIRED to accept any valid username. # # # # NOTE: when a Proxy-Authentication header is sent but it is not # # needed during ACL checking the username is NOT logged # # in access.log. # # # # NOTE: proxy_auth requires a EXTERNAL authentication program # # to check username/password combinations (see # # authenticate_program). # # # # WARNING: proxy_auth can't be used in a transparent proxy. It # # collides with any authentication done by origin servers. It may # # seem like it works at first, but it doesn't. # # acl aclname snmp_community string ... # # A community string to limit access to your SNMP Agent # # Example: # # # # acl snmppublic snmp_community public # # acl aclname maxconn number # # This will be matched when the client's IP address has # # more than <number> HTTP connections established. # # acl aclname max_user_ip [-s] number # # This will be matched when the user attempts to log in from more # # than <number> different ip address's. The authenticate_ip_ttl # # parameter controls the timeout on the ip entries. # # If -s is specified then the limit is strict, denying browsing # # from any further IP addresses until the ttl has expired. Without # # -s Squid will just annoy the user by "randomly" deny requests. # # (the counter is then reset each time the limit is reached and a # # request is denied) # # NOTE: in acceleration mode or where there is mesh of child proxies, # # clients may appear to come from multiple address's if they are # # going through proxy farms, so a limit of 1 may cause user problems. # # acl aclname req_mime_type mime-type1 ... # # regex match agains the mime type of the request generated # # by the client. Can be used to detect file upload or some # # types HTTP tunelling requests. # # NOTE: This does NOT match the reply. You cannot use this # # to match the returned file type. # # acl aclname rep_mime_type mime-type1 ... # # regex match against the mime type of the reply recieved by # # squid. Can be used to detect file download or some # # types HTTP tunelling requests. # # NOTE: This has no effect in http_access rules. It only has # # effect in rules that affect the reply data stream such as # # http_reply_access. # # acl acl_name external class_name [arguments...] # # external ACL lookup via a helper class defined by the # # external_acl_type directive. # #Examples: #acl myexample dst_as 1241 #acl password proxy_auth REQUIRED #acl fileupload req_mime_type -i ^multipart/form-data$ #acl javascript rep_mime_type -i ^application/x-javascript$ # #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl hotmail_domains dstdomain .hotmail.msn.com header_access Accept-Encoding deny hotmail_domains acl CONNECT method CONNECT # TAG: http_access # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: # # If there are no "access" lines present, the default is to deny # the request. # # If none of the "access" lines cause a match, the default is the # opposite of the last line in the list. If the last line was # deny, then the default is allow. Conversely, if the last line # is allow, the default will be deny. For these reasons, it is a # good idea to have an "deny all" or "allow all" entry at the end # of your access lists to avoid potential confusion. # #Default: http_access allow all # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Exampe rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks # And finally deny all other access to this proxy http_access deny all # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. # # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow # all replies # # If none of the access lines cause a match, then the opposite of the # last line will apply. Thus it is good practice to end the rules # with an "allow all" or "deny all" entry. # #Default: # http_reply_access allow all # #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default http_reply_access allow all # TAG: icp_access # Allowing or Denying access to the ICP port based on defined # access lists # # icp_access allow|deny [!]aclname ... # # See http_access for details # #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all # TAG: miss_access # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # # This means that only your local clients are allowed to fetch # MISSES and all other clients can only fetch HITS. # # By default, allow all clients who passed the http_access rules # to fetch MISSES from us. # #Default setting: # miss_a
Nenhum comentário foi encontrado.
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Melhorando a precisão de valores flutuantes em python[AJUDA] (3)
Instalação Uefi com o instalador clássico do Mageia (1)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta