diff options
Diffstat (limited to 'network/squid/squid.conf')
| -rw-r--r-- | network/squid/squid.conf | 191 |
1 files changed, 150 insertions, 41 deletions
diff --git a/network/squid/squid.conf b/network/squid/squid.conf index a53e9e67a2..ecf4319bd7 100644 --- a/network/squid/squid.conf +++ b/network/squid/squid.conf @@ -1,4 +1,4 @@ -# WELCOME TO SQUID 3.1.10 +# WELCOME TO SQUID 3.1.12 # ---------------------------- # # This is the default Squid configuration file. You may wish @@ -27,6 +27,43 @@ # from causing Squid entering an infinite loop whilst trying to load # configuration files. +# TAG: dns_testnames +# Remove this line. DNS is no longer tested on startup. +#Default: +# none + +# TAG: extension_methods +# Remove this line. All valid methods for HTTP are accepted by default. +#Default: +# none + +# TAG: incoming_rate +# TAG: server_http11 +# Remove this line. HTTP/1.1 is supported by default. +#Default: +# none + +# TAG: upgrade_http0.9 +# Remove this line. ICY/1.0 streaming protocol is supported by default. +#Default: +# none + +# TAG: zph_local +# Alter these entries. Use the qos_flows directive instead. +#Default: +# none + +# TAG: header_access +# Since squid-3.0 replace with request_header_access or reply_header_access +# depending on whether you wish to match client requests or server replies. +#Default: +# none + +# TAG: httpd_accel_no_pmtu_disc +# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. +#Default: +# none + # OPTIONS FOR AUTHENTICATION # ----------------------------------------------------------------------------- @@ -227,12 +264,12 @@ # auth_param ntlm children 5 # # "keep_alive" on|off -# If you experience problems with PUT/POST requests when using the -# Negotiate authentication scheme then you can try setting this to -# off. This will cause Squid to forcibly close the connection on -# the initial requests where the browser asks which schemes are -# supported by the proxy. -# +# Whether to keep the connection open after the initial response where +# Squid tells the browser which schemes are supported by the proxy. +# Some browsers are known to present many login popups or to corrupt +# POST/PUT requests transfer if the connection is not closed. +# The default is currently OFF to avoid this, but may change. +# # auth_param ntlm keep_alive on # # === Options for configuring the NEGOTIATE auth-scheme follow === @@ -261,15 +298,15 @@ # auth_param negotiate children 5 # # "keep_alive" on|off -# If you experience problems with PUT/POST requests when using the -# Negotiate authentication scheme then you can try setting this to -# off. This will cause Squid to forcibly close the connection on -# the initial requests where the browser asks which schemes are -# supported by the proxy. -# +# Whether to keep the connection open after the initial response where +# Squid tells the browser which schemes are supported by the proxy. +# Some browsers are known to present many login popups or to corrupt +# POST/PUT requests transfer if the connection is not closed. +# The default is currently OFF to avoid this, but may change. +# # auth_param negotiate keep_alive on # -# +# # Examples: # ##Recommended minimum configuration per scheme: @@ -566,7 +603,9 @@ # # acl aclname maxconn number # # This will be matched when the client's IP address has -# # more than <number> HTTP connections established. [fast] +# # more than <number> TCP connections established. [fast] +# # NOTE: This only measures direct TCP links so X-Forwarded-For +# # indirect clients are not counted. # # acl aclname max_user_ip [-s] number # # This will be matched when the user attempts to log in from more @@ -716,6 +755,9 @@ acl CONNECT method CONNECT # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the # direct client address in acl matching. +# +# NOTE: maxconn ACL considers direct TCP links and indirect +# clients will always have zero. So no match. #Default: # acl_uses_indirect_client on @@ -828,6 +870,12 @@ http_access deny all # # See http_access for details # +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow ICP queries from local networks only +##icp_access allow localnet +##icp_access deny all #Default: # icp_access deny all # @@ -847,6 +895,12 @@ icp_access deny all # deny all traffic. This default may cause problems with peers # using the htcp or htcp-oldsquid options. # +# This clause only supports fast acl types. +# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +# +## Allow HTCP queries from local networks only +##htcp_access allow localnet +##htcp_access deny all #Default: # htcp_access deny all # @@ -1038,7 +1092,7 @@ htcp_access deny all # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # -# sslBump Intercept each CONNECT request matching ssl_bump ACL, +# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, # establish secure connection with the client and with # the server, decrypt HTTP messages as they pass through # Squid, and treat them as unencrypted HTTP messages, @@ -1188,8 +1242,8 @@ http_port 3128 # Example where normal_service_net uses the TOS value 0x00 # and good_service_net uses 0x20 # -# acl normal_service_net src 10.0.0.0/255.255.255.0 -# acl good_service_net src 10.0.1.0/255.255.255.0 +# acl normal_service_net src 10.0.0.0/24 +# acl good_service_net src 10.0.1.0/24 # tcp_outgoing_tos 0x00 normal_service_net # tcp_outgoing_tos 0x20 good_service_net # @@ -1199,8 +1253,8 @@ http_port 3128 # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or # "default" to use whatever default your host has. Note that in -# practice often only values 0 - 63 is usable as the two highest bits -# have been redefined for use by ECN (RFC3168). +# practice often only multiples of 4 is usable as the two rightmost bits +# have been redefined for use by ECN (RFC 3168 section 23.1). # # Processing proceeds in the order specified, and stops at first fully # matching line. @@ -1303,14 +1357,18 @@ http_port 3128 # an additional ACL needs to be used which ensures the IPv6-bound traffic # is never forced or permitted out the IPv4 interface. # +# # IPv6 destination test along with a dummy access control to perofrm the required DNS +# # This MUST be place before any ALLOW rules. # acl to_ipv6 dst ipv6 -# tcp_outgoing_address 2002::c001 good_service_net to_ipv6 +# http_access deny ipv6 !all +# +# tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 # tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 # -# tcp_outgoing_address 2002::beef normal_service_net to_ipv6 +# tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 # tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 # -# tcp_outgoing_address 2002::1 to_ipv6 +# tcp_outgoing_address 2001:db8::1 to_ipv6 # tcp_outgoing_address 10.1.0.3 !to_ipv6 # # WARNING: @@ -1499,6 +1557,10 @@ http_port 3128 # when using encrypted SSL certificate keys. If not specified # keys must either be unencrypted, or Squid started with the -N # option to allow it to query interactively for the passphrase. +# +# The key file name is given as argument to the program allowing +# selection of the right password if you have multiple encrypted +# keys. #Default: # none @@ -1635,8 +1697,8 @@ http_port 3128 # which parent to fectch from. If the rtt is less than the # base time the rtt is set to a minimal value. # -# ttl=N Specify a IP multicast TTL to use when sending an ICP -# queries to this address. +# ttl=N Specify a TTL to use when sending multicast ICP queries +# to this address. # Only useful when sending to a multicast group. # Because we don't accept ICP replies from random # hosts, you must configure other group members as @@ -2034,10 +2096,10 @@ hierarchy_stoplist cgi-bin ? # Instead, if you want Squid to use the entire disk drive, # subtract 20% and use that value. # -# 'Level-1' is the number of first-level subdirectories which +# 'L1' is the number of first-level subdirectories which # will be created under the 'Directory'. The default is 16. # -# 'Level-2' is the number of second-level subdirectories which +# 'L2' is the number of second-level subdirectories which # will be created under each first-level directory. The default # is 256. # @@ -2097,8 +2159,8 @@ hierarchy_stoplist cgi-bin ? # # no-store, no new objects should be stored to this cache_dir # -# max-size=n, refers to the max object size this storedir supports. -# It is used to initially choose the storedir to dump the object. +# max-size=n, refers to the max object size in bytes this cache_dir +# supports. It is used to select the cache_dir to store the object. # Note: To make optimal use of the max-size limits you should order # the cache_dir lines with the smallest max-size value first and the # ones with no max-size specification last. @@ -2323,7 +2385,7 @@ cache_dir ufs /var/cache/squid/ 256 16 256 # err, warning, notice, info, debug. # # Default: -# access_log /var/log/squid/logs/access.log squid +# access_log /var/log/squid/access.log squid #Default: access_log /var/log/squid/access.log squid @@ -2435,7 +2497,7 @@ cache_log /var/log/squid/cache.log # disable it. # # Example: -# cache_store_log /var/log/squid/logs/store.log +# cache_store_log /var/log/squid/store.log #Default: cache_store_log /var/log/squid/store.log @@ -2609,7 +2671,7 @@ pid_filename /var/run/squid/squid.pid # A filename where Squid stores it's netdb state between restarts. # To disable, enter "none". #Default: -# netdb_filename /var/log/squid/logs/netdb.state +# netdb_filename /var/log/squid/netdb.state # OPTIONS FOR TROUBLESHOOTING # ----------------------------------------------------------------------------- @@ -2647,6 +2709,8 @@ cache_log /var/log/squid/cache.log # coredump_dir none # +# Leave coredumps in the first cache dir +coredump_dir /var/log/squid/cache # OPTIONS FOR FTP GATEWAYING # ----------------------------------------------------------------------------- @@ -2714,6 +2778,26 @@ cache_log /var/log/squid/cache.log #Default: # ftp_epsv on +# TAG: ftp_eprt +# FTP Protocol extensions permit the use of a special "EPRT" command. +# +# This extension provides a protocol neutral alternative to the +# IPv4-only PORT command. When supported it enables active FTP data +# channels over IPv6 and efficient NAT handling. +# +# Turning this OFF will prevent EPRT being attempted and will skip +# straight to using PORT for IPv4 servers. +# +# Some devices are known to not handle this extension correctly and +# may result in crashes. Devices which suport EPRT enough to fail +# cleanly will result in Squid attempting PORT anyway. This directive +# should only be disabled when EPRT results in device failures. +# +# WARNING: Doing so will convert Squid back to the old behavior with all +# the related problems with external NAT devices/layers and IPv4-only FTP. +#Default: +# ftp_eprt on + # TAG: ftp_sanitycheck # For security and data integrity reasons Squid by default performs # sanity checks of the addresses of FTP data connections ensure the @@ -3129,6 +3213,13 @@ refresh_pattern . 0 20% 4320 #Default: # request_body_max_size 0 KB +# TAG: client_request_buffer_max_size (bytes) +# This specifies the maximum buffer size of a client request. +# It prevents squid eating too much memory when somebody uploads +# a large file. +#Default: +# client_request_buffer_max_size 512 KB + # TAG: chunked_request_body_max_size (bytes) # A broken or confused HTTP/1.1 client may send a chunked HTTP # request to Squid. Squid does not have full support for that @@ -3295,7 +3386,6 @@ refresh_pattern . 0 20% 4320 # request_header_access Retry-After allow all # request_header_access Title allow all # request_header_access Connection allow all -# request_header_access Proxy-Connection allow all # request_header_access All deny all # # although many of those are HTTP reply headers, and so should be @@ -3367,7 +3457,6 @@ refresh_pattern . 0 20% 4320 # reply_header_access Retry-After allow all # reply_header_access Title allow all # reply_header_access Connection allow all -# reply_header_access Proxy-Connection allow all # reply_header_access All deny all # # although the HTTP request headers won't be usefully controlled @@ -3378,13 +3467,13 @@ refresh_pattern . 0 20% 4320 #Default: # none -# TAG: header_replace -# Usage: header_replace header_name message -# Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) +# TAG: request_header_replace +# Usage: request_header_replace header_name message +# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) # # This option allows you to change the contents of headers -# denied with header_access above, by replacing them with -# some fixed string. This replaces the old fake_user_agent +# denied with request_header_access above, by replacing them +# with some fixed string. This replaces the old fake_user_agent # option. # # This only applies to request headers, not reply headers. @@ -3393,6 +3482,20 @@ refresh_pattern . 0 20% 4320 #Default: # none +# TAG: reply_header_replace +# Usage: reply_header_replace header_name message +# Example: reply_header_replace Server Foo/1.0 +# +# This option allows you to change the contents of headers +# denied with reply_header_access above, by replacing them +# with some fixed string. +# +# This only applies to reply headers, not request headers. +# +# By default, headers are removed if denied. +#Default: +# none + # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous @@ -4545,7 +4648,7 @@ cache_effective_group nobody # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys # # Alternatively you can specify an error URL. The browsers will -# get redirected (302) to the specified URL. %s in the redirection +# get redirected (302 or 307) to the specified URL. %s in the redirection # URL will be replaced by the requested URL. # # Alternatively you can tell Squid to reset the TCP connection @@ -4938,6 +5041,11 @@ cache_effective_group nobody # Routing is not allowed by default: the ICAP X-Next-Services # response header is ignored. # +# ipv6=on|off +# Only has effect on split-stack systems. The default on those systems +# is to use IPv4-only connections. When set to 'on' this option will +# make Squid use IPv6-only connections to contact this ICAP service. +# # Older icap_service format without optional named parameters is # deprecated but supported for backward compatibility. # @@ -5543,7 +5651,6 @@ cache_effective_group nobody # queried only when Squid starts up, not for every request. #Default: # as_whois_server whois.ra.net -# as_whois_server whois.ra.net # TAG: offline_mode # Enable this option and Squid will never try to validate cached @@ -5602,6 +5709,8 @@ cache_effective_group nobody # # Defaults to off for bandwidth management and access logging # reasons. +# +# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: # pipeline_prefetch off |