squid的配置文件

squid的配置文件
squid的配置文件 # WELCOME TO SQUID 2# ------------------## This is the default Squid configuration file. You may wish# to look at the Squid home page (http://www.squid-cache.org/)# for the FAQ and other documentation.## The default Squid config file shows what the defaults for# various options happen to be. If you don't need to change the# default, you shouldn't uncomment the line. Doing so may cause# run-time problems. In some cases "none" refers to no default# setting at all, while in other cases it refers to a valid# option - the comments for that keyword indicate if this is the# case.## NETWORK OPTIONS# -----------------------------------------------------------------------------# TAG: http_port# Usage: port# hostname:port# 1.2.3.4:port## The socket addresses where Squid will listen for HTTP client# requests. You may specify multiple socket addresses.# There are three forms: port alone, hostname with port, and# IP address with port. If you specify a hostname or IP# address, then Squid binds the socket to that specific# address. This replaces the old 'tcp_incoming_address'# option. Most likely, you do not need to bind to a specific# address, so you can use the port number alone.## The default port number is 3128.## If you are running Squid in accelerator mode, then you# probably want to listen on port 80 also, or instead.## The -a command line option will override the *first* port# number listed here. That option will NOT override an IP# address, however.## You may specify multiple socket addresses on multiple lines.## If you run Squid on a dual-homed machine with an internal# and an external interface then we recommend you to specify the# internal address:port in http_port. This way Squid will only be# visible on the internal address.##Default:http_port 3128# TAG: https_port# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]## The socket address where Squid will listen for HTTPS client# requests.## This is really only useful for situations where you are running# squid in accelerator mode and you want to do the SSL work at the# accelerator level.## You may specify multiple socket addresses on multiple lines,# each with their own SSL certificate and/or options.# # Options:## cert= Path to SSL certificate (PEM format)# # key= Path to SSL private key file (PEM format)# if not specified, the certificate file is# assumed to be a combined certificate and# key file## version= The version of SSL/TLS supported# 1 automatic (default)# 2 SSLv2 only# 3 SSLv3 only# 4 TLSv1 only## cipher= Colon separated list of supported ciphers## options= Varions SSL engine options. The most important# being:# NO_SSLv2 Disallow the use of SSLv2# NO_SSLv3 Disallow the use of SSLv3# NO_TLSv1 Disallow the use of TLSv1# See src/DownloadFiles\ssl_support.c or OpenSSL documentation# for a more complete list.##Default:# none# TAG: ssl_unclean_shutdown# Some browsers (especially MSIE) bugs out on SSL shutdown# messages.##Default:# ssl_unclean_shutdown off# TAG: icp_port# The port number where Squid sends and receives ICP queries to# and from neighbor caches. Default is 3130. To disable use# "0". May be overridden with -u on the command line.##Default:icp_port 3130# TAG: htcp_port# Note: This option is only available if Squid is rebuilt with the# --enable-htcp option## The port number where Squid sends and receives HTCP queries to# and from neighbor caches. Default is 4827. To disable use# "0".##Default:# htcp_port 4827# TAG: mcast_groups# This tag specifies a list of multicast groups which your server# should join to receive multicasted ICP queries.## NOTE! Be very careful what you put here! Be sure you# understand the difference between an ICP _query_ and an ICP# _reply_. This option is to be set only if you want to RECEIVE# multicast queries. Do NOT set this option to SEND multicast# ICP (use cache_peer for that). ICP replies are always sent via# unicast, so this option does not affect whether or not you will# receive replies from multicast group members.## You must be very careful to NOT use a multicast address which# is already in use by another group of caches.## If you are unsure about multicast, please read the Multicast# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).## Usage: mcast_groups 239.128.16.128 224.0.1.20## By default, Squid doesn't listen on any multicast groups.##Default:# none# TAG: udp_incoming_address# TAG: udp_outgoing_address# udp_incoming_address is used for the ICP socket receiving packets# from other caches.# udp_outgoing_address is used for ICP packets sent out to other# caches.## The default behavior is to not bind to any specific address.## A udp_incoming_address value of 0.0.0.0 indicates that Squid should# listen for UDP messages on all available interfaces.## If udp_outgoing_address is set to 255.255.255.255 (the default)# then it will use the same socket as udp_incoming_address. Only# change this if you want to have ICP queries sent using another# address than where this Squid listens for ICP queries from other# caches.## NOTE, udp_incoming_address and udp_outgoing_address can not# have the same value since they both use port 3130.##Default:# udp_incoming_address 0.0.0.0# udp_outgoing_address 255.255.255.255# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM# -----------------------------------------------------------------------------# TAG: cache_peer# To specify other caches in a hierarchy, use the format:## cache_peer hostname type http_port icp_port## For example,## # proxy icp# # hostname type port port options# # -------------------- -------- ----- ----- -----------# cache_peer parent.foo.net parent 3128 3130 [proxy-only]# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]## type: either 'parent', 'sibling', or 'multicast'.## proxy_port: The port number where the cache listens for proxy# requests.## icp_port: Used for querying neighbor caches about# objects. To have a non-ICP neighbor# specify '7' for the ICP port and make sure the# neighbor machine has the UDP echo port# enabled in its /etc/inetd.conf file.## options: proxy-only# weight=n# ttl=n# no-query# default# round-robin# multicast-responder# closest-only# no-digest# no-netdb-exchange# no-delay# login=user:password | PASS | *:password# connect-timeout=nn# digest-url=url# allow-miss# max-conn# htcp# carp-load-factor## use 'proxy-only' to specify that objects fetched# from this cache should not be saved locally.## use 'weight=n' to specify a weighted parent.# The weight must be an integer. The default weight# is 1, larger weights are favored more.## use 'ttl=n' to specify a IP multicast TTL to use# when sending an ICP queries to this address.# Only useful when sending to a multicast group.# Because we don't accept ICP replies from random# hosts, you must configure other group members as# peers with the 'multicast-responder' option below.## use 'no-query' to NOT send ICP queries to this# neighbor.## use 'default' if this is a parent cache which can# be used as a "last-resort." You should probably# only use 'default' in situations where you cannot# use ICP with your parent cache(s).## use 'round-robin' to define a set of parents which# should be used in a round-robin fashion in the# absence of any ICP queries.## 'multicast-responder' indicates that the named peer# is a member of a multicast group. ICP queries will# not be sent directly to the peer, but ICP replies# will be accepted from it.## 'closest-only' indicates that, for ICP_OP_MISS# replies, we'll only forward CLOSEST_PARENT_MISSes# and never FIRST_PARENT_MISSes.## use 'no-digest' to NOT request cache digests from# this neighbor.## 'no-netdb-exchange' disables requesting ICMP# RTT database (NetDB) from the neighbor.## use 'no-delay' to prevent access to this neighbor# from influencing the delay pools.## use 'login=user:password' if this is a personal/workgroup# proxy and your parent requires proxy authentication.# Note: The string can include URL escapes (i.e. %20 for# spaces). This also means that % must be written as %%.## use 'login=PASS' if users must authenticate against# the upstream proxy. This will pass the users credentials# as they are to the peer proxy. This only works for the# Basic HTTP authentication sheme. Note: To combine this# with proxy_auth both proxies must share the same user# database as HTTP only allows for one proxy login.# Also be warned that this will expose your users proxy# password to the peer. USE WITH CAUTION## use 'login=*:password' to pass the username to the# upstream cache, but with a fixed password. This is meant# to be used when the peer is in another administrative# domain, but it is still needed to identify each user.# The star can optionally be followed by some extra# information which is added to the username. This can# be used to identify this proxy to the peer, similar to# the login=username:password option above.## use 'connect-timeout=nn' to specify a peer# specific connect timeout (also see the# peer_connect_timeout directive)## use 'digest-url=url' to tell Squid to fetch the cache# digest (if digests are enabled) for this host from# the specified URL rather than the Squid default# location.## use 'allow-miss' to disable Squid's use of only-if-cached# when forwarding requests to siblings. This is primarily# useful when icp_hit_stale is used by the sibling. To# extensive use of this option may result in forwarding# loops, and you should avoid having two-way peerings# with this option. (for example to deny peer usage on# requests from peer by denying cache_peer_access if the# source is a peer)## use 'max-conn' to limit the amount of connections Squid# may open to this peer.## use 'htcp' to send HTCP, instead of ICP, queries# to the neighbor. You probably also want to# set the "icp port" to 4827 instead of 3130.## use 'carp-load-factor=f' to define a parent# cache as one participating in a CARP array.# The 'f' values for all CARP parents must add# up to 1.0.# ## NOTE: non-ICP/HTCP neighbors must be specified as 'parent'.##Default:# none# TAG: cache_peer_domain# Use to limit the domains for which a neighbor cache will be# queried. Usage:## cache_peer_domain cache-host domain [domain ...]# cache_peer_domain cache-host !domain## For example, specifying## cache_peer_domain parent.foo.net .edu## has the effect such that UDP query packets are sent to# 'bigserver' only when the requested object exists on a# server in the .edu domain. Prefixing the domainname# with '!' means that the cache will be queried for objects# NOT in that domain.## NOTE: * Any number of domains may be given for a cache-host,# either on the same or separate lines.# * When multiple domains are given for a particular# cache-host, the first matched domain is applied.# * Cache hosts with no domain restrictions are queried# for all requests.# * There are no defaults.# * There is also a 'cache_peer_access' tag in the ACL# section.##Default:# none# TAG: neighbor_type_domain# usage: neighbor_type_domain parent|sibling domain domain ...## Modifying the neighbor type for specific domains is now# possible. You can treat some domains differently than the the# default neighbor type specified on the 'cache_peer' line.# Normally it should only be necessary to list domains which# should be treated differently because the default neighbor type# applies for hostnames which do not match domains listed here.##EXAMPLE:# cache_peer parent cache.foo.org 3128 3130# neighbor_type_domain cache.foo.org sibling .com .net# neighbor_type_domain cache.foo.org sibling .au .de##Default:# none# TAG: icp_query_timeout (msec)# Normally Squid will automatically determine an optimal ICP# query timeout value based on the round-trip-time of recent ICP# queries. If you want to override the value determined by# Squid, set this 'icp_query_timeout' to a non-zero value. This# value is specified in MILLISECONDS, so, to use a 2-second# timeout (the old default), you would write:## icp_query_timeout 2000##Default:# icp_query_timeout 0# TAG: maximum_icp_query_timeout (msec)# Normally the ICP query timeout is determined dynamically. But# sometimes it can lead to very large values (say 5 seconds).# Use this option to put an upper limit on the dynamic timeout# value. Do NOT use this option to always use a fixed (instead# of a dynamic) timeout value. To set a fixed timeout see the# 'icp_query_timeout' directive.##Default:# maximum_icp_query_timeout 2000# TAG: mcast_icp_query_timeout (msec)# For Multicast peers, Squid regularly sends out ICP "probes" to# count how many other peers are listening on the given multicast# address. This value specifies how long Squid should wait to# count all the replies. The default is 2000 msec, or 2# seconds.##Default:# mcast_icp_query_timeout 2000# TAG: dead_peer_timeout (seconds)# This controls how long Squid waits to declare a peer cache# as "dead." If there are no ICP replies received in this# amount of time, Squid will declare the peer dead and not# expect to receive any further ICP replies. However, it# continues to send ICP queries, and will mark the peer as# alive upon receipt of the first subsequent ICP reply.## This timeout also affects when Squid expects to receive ICP# replies from peers. If more than 'dead_peer' seconds have# passed since the last ICP reply was received, Squid will not# expect to receive an ICP reply on the next query. Thus, if# your time between requests is greater than this timeout, you# will see a lot of requests sent DIRECT to origin servers# instead of to your parents.##Default:# dead_peer_timeout 10 seconds# TAG: hierarchy_stoplist# A list of words which, if found in a URL, cause the object to# be handled directly by this cache. In other words, use this# to not query neighbor caches for certain objects. You may# list this option multiple times.#We recommend you to use at least the following line.hierarchy_stoplist cgi-bin ?# TAG: no_cache# A list of ACL elements which, if matched, cause the request to# not be satisfied from the cache and the reply to not be cached.# In other words, use this to force certain objects to never be cached.## You must use the word 'DENY' to indicate the ACL names which should# NOT be cached.##We recommend you to use the following two lines.acl QUERY urlpath_regex cgi-bin ?no_cache deny QUERY# OPTIONS WHICH AFFECT THE CACHE SIZE# -----------------------------------------------------------------------------# TAG: cache_mem (bytes)# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.## 'cache_mem' specifies the ideal amount of memory to be used# for:# * In-Transit objects# * Hot Objects# * Negative-Cached objects## Data for these objects are stored in 4 KB blocks. This# parameter specifies the ideal upper limit on the total size of# 4 KB blocks allocated. In-Transit objects take the highest# priority.## In-transit objects have priority over the others. When# additional space is needed for incoming data, negative-cached# and hot objects will be released. In other words, the# negative-cached and hot objects will fill up any unused space# not needed for in-transit objects.## If circumstances require, this limit will be exceeded.# Specifically, if your incoming request rate requires more than# 'cache_mem' of memory to hold in-transit objects, Squid will# exceed this limit to satisfy the new requests. When the load# decreases, blocks will be freed until the high-water mark is# reached. Thereafter, blocks will be used to store hot# objects.##Default:cache_mem 800 MB# TAG: cache_swap_low (percent, 0-100)# TAG: cache_swap_high (percent, 0-100)## The low- and high-water marks for cache object replacement.# Replacement begins when the swap (disk) usage is above the# low-water mark and attempts to maintain utilization near the# low-water mark. As swap utilization gets close to high-water# mark object eviction becomes more aggressive. If utilization is# close to the low-water mark less replacement is done each time.# # Defaults are 90% and 95%. If you have a large cache, 5% could be# hundreds of MB. If this is the case you may wish to set these# numbers closer together.##Default:# cache_swap_low 90# cache_swap_high 95# TAG: maximum_object_size (bytes)# Objects larger than this size will NOT be saved on disk. The# value is specified in kilobytes, and the default is 4MB. If# you wish to get a high BYTES hit ratio, you should probably# increase this (one 32 MB object hit counts for 3200 10KB# hits). If you wish to increase speed more than your want to# save bandwidth you should leave this low.## NOTE: if using the LFUDA replacement policy you should increase# this value to maximize the byte hit rate improvement of LFUDA!# See replacement_policy below for a discussion of this policy.##Default:# maximum_object_size 4096 KB# TAG: minimum_object_size (bytes)# Objects smaller than this size will NOT be saved on disk. The# value is specified in kilobytes, and the default is 0 KB, which# means there is no minimum.##Default:# minimum_object_size 0 KB# TAG: maximum_object_size_in_memory (bytes)# Objects greater than this size will not be attempted to kept in# the memory cache. This should be set high enough to keep objects# accessed frequently in memory to improve performance whilst low# enough to keep larger objects from hoarding cache_mem .##Default:# maximum_object_size_in_memory 8 KB# TAG: ipcache_size (number of entries)# TAG: ipcache_low (percent)# TAG: ipcache_high (percent)# The size, low-, and high-water marks for the IP cache.##Default:# ipcache_size 1024# ipcache_low 90# ipcache_high 95# TAG: fqdncache_size (number of entries)# Maximum number of FQDN cache entries.##Default:# fqdncache_size 1024# TAG: cache_replacement_policy# The cache replacement policy parameter determines which# objects are evicted (replaced) when disk space is needed.## lru : Squid's original list based LRU policy# heap GDSF : Greedy-Dual Size Frequency# heap LFUDA: Least Frequently Used with Dynamic Aging# heap LRU : LRU policy implemented using a heap## Applies to any cache_dir lines listed below this.## The LRU policies keeps recently referenced objects.## The heap GDSF policy optimizes object hit rate by keeping smaller# popular objects in cache so it has a better chance of getting a# hit. It achieves a lower byte hit rate than LFUDA though since# it evicts larger (possibly popular) objects.## The heap LFUDA policy keeps popular objects in cache regardless of# their size and thus optimizes byte hit rate at the expense of# hit rate since one large, popular object will prevent many# smaller, slightly less popular objects from being cached.## Both policies utilize a dynamic aging mechanism that prevents# cache pollution that can otherwise occur with frequency-based# replacement policies.## NOTE: if using the LFUDA replacement policy you should increase# the value of maximum_object_size above its default of 4096 KB to# to maximize the potential byte hit rate improvement of LFUDA.## For more information about the GDSF and LFUDA cache replacement# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.##Default:# cache_replacement_policy lru# TAG: memory_replacement_policy# The memory replacement policy parameter determines which# objects are purged from memory when memory space is needed.## See cache_replacement_policy for details.##Default:# memory_replacement_policy lru# LOGFILE PATHNAMES AND CACHE DIRECTORIES# -----------------------------------------------------------------------------# TAG: cache_dir# Usage:# # cache_dir Type Directory-Name Fs-specific-data [options]## cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2## You can specify multiple cache_dir lines to spread the# cache among different disk partitions.## Type specifies the kind of storage system to use. Only "ufs"# is built by default. To eanble any of the other storage systems# see the --enable-storeio configure option.## 'Directory' is a top-level directory where cache swap# files will be stored. If you want to use an entire disk# for caching, then this can be the mount-point directory.# The directory must exist and be writable by the Squid# process. Squid will NOT create this directory for you.## The ufs store type:## "ufs" is the old well-known Squid storage format that has always# been there.## cache_dir ufs Directory-Name Mbytes L1 L2 [options]## 'Mbytes' is the amount of disk space (MB) to use under this# directory. The default is 100 MB. Change this to suit your# configuration. Do NOT put the size of your disk drive here.# Instead, if you want Squid to use the entire disk drive,# subtract 20% and use that value.## 'Level-1' is the number of first-level subdirectories which# will be created under the 'Directory'. The default is 16.## 'Level-2' is the number of second-level subdirectories which# will be created under each first-level directory. The default# is 256.## The aufs store type:## "aufs" uses the same storage format as "ufs", utilizing# POSIX-threads to avoid blocking the main Squid process on# disk-I/O. This was formerly known in Squid as async-io.## cache_dir aufs Directory-Name Mbytes L1 L2 [options]## see argument descriptions under ufs above## The diskd store type:## "diskd" uses the same storage format as "ufs", utilizing a# separate process to avoid blocking the main Squid process on# disk-I/O.## cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]## see argument descriptions under ufs above## Q1 specifies the number of unacknowledged I/O requests when Squid# stops opening new files. If this many messages are in the queues,# Squid won't open new files. Default is 64## Q2 specifies the number of unacknowledged messages when Squid# starts blocking. If this many messages are in the queues,# Squid blocks until it recevies some replies. Default is 72## Common options:## read-only, this cache_dir is read only.## max-size=n, refers to the max object size this storedir supports.# It is used to initially choose the storedir to dump the object.# Note: To make optimal use of the max-size limits you should order# the cache_dir lines with the smallest max-size value first and the# ones with no max-size specification last.##Default:cache_dir ufs /var/spool/squid 1000 16 256# TAG: cache_access_log# Logs the client request activity. Contains an entry for# every HTTP and ICP queries received. To disable, enter "none".##Default:cache_access_log /var/log/squid/access.log# TAG: cache_log# Cache logging file. This is where general information about# your cache's behavior goes. You can increase the amount of data# logged to this file with the "debug_options" tag below.##Default:cache_log /var/log/squid/cache.log# TAG: cache_store_log# Logs the activities of the storage manager. Shows which# objects are ejected from the cache, and which objects are# saved and for how long. To disable, enter "none". There are# not really utilities to analyze this data, so you can safely# disable it.##Default:cache_store_log /var/log/squid/store.log# TAG: cache_swap_log# Location for the cache "swap.log." This log file holds the# metadata of objects saved on disk. It is used to rebuild the# cache during startup. Normally this file resides in each# 'cache_dir' directory, but you may specify an alternate# pathname here. Note you must give a full filename, not just# a directory. Since this is the index for the whole object# list you CANNOT periodically rotate it!## If %s can be used in the file name then it will be replaced with a# a representation of the cache_dir name where each / is replaced# with '.'. This is needed to allow adding/removing cache_dir# lines when cache_swap_log is being used.# # If have more than one 'cache_dir', and %s is not used in the name# then these swap logs will have names such as:## cache_swap_log.00# cache_swap_log.01# cache_swap_log.02## The numbered extension (which is added automatically)# corresponds to the order of the 'cache_dir' lines in this# configuration file. If you change the order of the 'cache_dir'# lines in this file, then these log files will NOT correspond to# the correct 'cache_dir' entry (unless you manually rename# them). We recommend that you do NOT use this option. It is# better to keep these log files in each 'cache_dir' directory.##Default:# none# TAG: emulate_httpd_log on|off# The Cache can emulate the log file format which many 'httpd'# programs use. To disable/enable this emulation, set# emulate_httpd_log to 'off' or 'on'. The default# is to use the native log format since it includes useful# information that Squid-specific log analyzers use.##Default:# emulate_httpd_log off# TAG: log_ip_on_direct on|off# Log the destination IP address in the hierarchy log tag when going# direct. Earlier Squid versions logged the hostname here. If you# prefer the old way set this to off.##Default:# log_ip_on_direct on# TAG: mime_table# Pathname to Squid's MIME table. You shouldn't need to change# this, but the default file contains examples and formatting# information if you do.##Default:# mime_table /etc/squid/mime.conf# TAG: log_mime_hdrs on|off# The Cache can record both the request and the response MIME# headers for each HTTP transaction. The headers are encoded# safely and will appear as two bracketed fields at the end of# the access log (for either the native or httpd-emulated log# formats). To enable this logging set log_mime_hdrs to 'on'.##Default:# log_mime_hdrs off# TAG: useragent_log# Squid will write the User-Agent field from HTTP requests# to the filename specified here. By default useragent_log# is disabled.##Default:# none# TAG: referer_log# Squid will write the Referer field from HTTP requests to the# filename specified here. By default referer_log is disabled.##Default:# none# TAG: pid_filename# A filename to write the process-id to. To disable, enter "none".##Default:# pid_filename /var/run/squid.pid# TAG: debug_options# Logging options are set as section,level where each source file# is assigned a unique section. Lower levels result in less# output, Full debugging (level 9) can result in a very large# log file, so be careful. The magic word "ALL" sets debugging# levels for all sections. We recommend normally running with# "ALL,1".##Default:# debug_options ALL,1# TAG: log_fqdn on|off# Turn this on if you wish to log fully qualified domain names# in the access.log. To do this Squid does a DNS lookup of all# IP's connecting to it. This can (in some situations) increase# latency, which makes your cache seem slower for interactive# browsing.##Default:# log_fqdn off# TAG: client_netmask# A netmask for client addresses in logfiles and cachemgr output.# Change this to protect the privacy of your cache clients.# A netmask of 255.255.255.0 will log all IP's in that range with# the last digit set to '0'.##Default:# client_netmask 255.255.255.255# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS# -----------------------------------------------------------------------------# TAG: ftp_user# If you want the anonymous login password to be more informative# (and enable the use of picky ftp servers), set this to something# reasonable for your domain, like wwwuser@somewhere.net## The reason why this is domainless by default is that the# request can be made on the behalf of a user in any domain,# depending on how the cache is used.# Some ftp server also validate that the email address is valid# (for example perl.com).##Default:# ftp_user Squid@# TAG: ftp_list_width# Sets the width of ftp listings. This should be set to fit in# the width of a standard browser. Setting this too small# can cut off long filenames when browsing ftp sites.##Default:# ftp_list_width 32# TAG: ftp_passive# If your firewall does not allow Squid to use passive# connections, then turn off this option.##Default:# ftp_passive on# TAG: ftp_sanitycheck# For security and data integrity reasons Squid by default performs# sanity checks of the addresses of FTP data connections ensure the# data connection is to the requested server. If you need to allow# FTP connections to servers using another IP address for the data# connection then turn this off.##Default:# ftp_sanitycheck on# TAG: cache_dns_program# Note: This option is only available if Squid is rebuilt with the# --disable-internal-dns option## Specify the location of the executable for dnslookup process.##Default:# cache_dns_program /usr/lib/squid/dnsserver# TAG: dns_children# Note: This option is only available if Squid is rebuilt with the# --disable-internal-dns option## The number of processes spawn to service DNS name lookups.# For heavily loaded caches on large servers, you should# probably increase this value to at least 10. The maximum# is 32. The default is 5.## You must have at least one dnsserver process.##Default:# dns_children 5# TAG: dns_retransmit_interval# Initial retransmit interval for DNS queries. The interval is# doubled each time all configured DNS servers have been tried.###Default:# dns_retransmit_interval 5 seconds# TAG: dns_timeout# DNS Query timeout. If no response is received to a DNS query# within this time then all DNS servers for the queried domain# is assumed to be unavailable.##Default:# dns_timeout 5 minutes# TAG: dns_defnames on|off# Note: This option is only available if Squid is rebuilt with the# --disable-internal-dns option## Normally the 'dnsserver' disables the RES_DEFNAMES resolver# option (see res_init(3)). This prevents caches in a hierarchy# from interpreting single-component hostnames locally. To allow# dnsserver to handle single-component names, enable this# option.##Default:# dns_defnames off# TAG: dns_nameservers# Use this if you want to specify a list of DNS name servers# (IP addresses) to use instead of those given in your# /etc/resolv.conf file.# On Windows platforms, if no value is specified here or in# the /etc/resolv.conf file, the list of DNS name servers are# taken from the Windows registry, both static and dynamic DHCP# configurations are supported.## Example: dns_nameservers 10.0.0.1 192.172.0.4##Default:# none# TAG: hosts_file# Location of the host-local IP name-address associations# database. Most Operating Systems have such a file: under# Un*X it's by default in /etc/hosts MS-Windows NT/2000 places# that in %SystemRoot%(by default# c:winnt)system32driversetchosts, while Windows 9x/ME# places that in %windir%(usually c:windows)hosts## The file contains newline-separated definitions, in the# form ip_address_in_dotted_form name [name ...] names are# whitespace-separated. lines beginnng with an hash (#)# character are comments.## The file is checked at startup and upon configuration. If# set to 'none', it won't be checked. If append_domain is# used, that domain will be added to domain-local (i.e. not# containing any dot character) host definitions.##Default:# hosts_file /etc/hosts# TAG: diskd_program# Specify the location of the diskd executable.# Note that this is only useful if you have compiled in# diskd as one of the store io modules.##Default:# diskd_program /usr/lib/squid/diskd# TAG: unlinkd_program# Specify the location of the executable for file deletion process.##Default:# unlinkd_program /usr/lib/squid/unlinkd# TAG: pinger_program# Note: This option is only available if Squid is rebuilt with the# --enable-icmp option## Specify the location of the executable for the pinger process.##Default:# pinger_program /usr/lib/squid/pinger# TAG: redirect_program# Specify the location of the executable for the URL redirector.# Since they can perform almost any function there isn't one included.# See the FAQ (section 15) for information on how to write one.# By default, a redirector is not used.##Default:# none# TAG: redirect_children# The number of redirector processes to spawn. If you start# too few Squid will have to wait for them to process a backlog of# URLs, slowing it down. If you start too many they will use RAM# and other system resources.##Default:# redirect_children 5# TAG: redirect_rewrites_host_header# By default Squid rewrites any Host: header in redirected# requests. If you are running an accelerator then this may# not be a wanted effect of a redirector.##Default:# redirect_rewrites_host_header on# TAG: redirector_access# If defined, this access list specifies which requests are# sent to the redirector processes. By default all requests# are sent.##Default:# none# TAG: auth_param# This is used to pass parameters to the various authentication# schemes.# format: auth_param scheme parameter [setting]# # auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd # would tell the basic authentication scheme it's program parameter.## The order that authentication prompts are presented to the client_agent# is dependant on the order the scheme first appears in config file.# IE has a bug (it's not rfc 2617 compliant) in that it will use the basic# scheme if basic is the first entry presented, even if more secure schemes# are presented. For now use the order in the file below. If other browsers# have difficulties (don't recognise the schemes offered even if you are using# basic) then either put basic first, or disable the other schemes (by commenting# out their program entry).## Once an authentication scheme is fully configured, it can only be shutdown# by shutting squid down and restarting. Changes can be made on the fly and# activated with a reconfigure. I.E. You can change to a different helper,# but not unconfigure the helper completely.## === Parameters for the basic scheme follow. ===# # "program" cmdline# Specify the command for the external authenticator. Such a# program reads a line containing "username password" and replies# "OK" or "ERR" in an endless loop. If you use an authenticator,# make sure you have 1 acl of type proxy_auth. By default, the# basic authentication sheme is not used unless a program is specified.## If you want to use the traditional proxy authentication,# jump over to the ../auth_modules/NCSA directory and# type:# % make# % make install## Then, set this line to something like## auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd## "children" numberofchildren# The number of authenticator processes to spawn (no default).# If you start too few Squid will have to wait for them to# process a backlog of usercode/password verifications, slowing# it down. When password verifications are done via a (slow)# network you are likely to need lots of authenticator# processes.# auth_param basic children 5## "realm" realmstring# Specifies the realm name which is to be reported to the# client for the basic proxy authentication scheme (part of# the text the user will see when prompted their username and# password). There is no default.# auth_param basic realm Squid proxy-caching web server## "credentialsttl" timetolive# Specifies how long squid assumes an externally validated# username:password pair is valid for - in other words how# often the helper program is called for that user. Set this# low to force revalidation with short lived passwords. Note# that setting this high does not impact your susceptability# to replay attacks unless you are using an one-time password# system (such as SecureID). If you are using such a system,# you will be vulnerable to replay attacks unless you also# use the max_user_ip ACL in an http_access rule.## === Parameters for the digest scheme follow ===## "program" cmdline# Specify the command for the external authenticator. Such# a program reads a line containing "username":"realm" and# replies with the appropriate H(A1) value base64 encoded.# See rfc 2616 for the definition of H(A1). If you use an# authenticator, make sure you have 1 acl of type proxy_auth.# By default, authentication is not used.## If you want to use build an authenticator,# jump over to the ../digest_auth_modules directory and choose the# authenticator to use. It it's directory type# % make# % make install## Then, set this line to something like## auth_param digest program /usr/bin/digest_auth_pw /usr/etc/digpass### "children" numberofchildren# The number of authenticator processes to spawn (no default).# If you start too few Squid will have to wait for them to# process a backlog of H(A1) calculations, slowing it down.# When the H(A1) calculations are done via a (slow) network# you are likely to need lots of authenticator processes.# auth_param digest children 5## "realm" realmstring# Specifies the realm name which is to be reported to the# client for the digest proxy authentication scheme (part of# the text the user will see when prompted their username and# password). There is no default.# auth_param digest realm Squid proxy-caching web server## "nonce_garbage_interval" timeinterval# Specifies the interval that nonces that have been issued# to client_agent's are checked for validity.## "nonce_max_duration" timeinterval# Specifies the maximum length of time a given nonce will be# valid for.## "nonce_max_count" number# Specifies the maximum number of times a given nonce can be# used.## "nonce_strictness" on|off# Determines if squid requires strict increment-by-1 behaviour# for nonce counts, or just incrementing (off - for use when# useragents generate nonce counts that occasionally miss 1# (ie, 1,2,4,6)). Default off.## "check_nonce_count" on|off# This directive if set to off can disable the nonce count check# completely to work around buggy digest qop implementations in# certain mainstream browser versions. Default on to check the# nonce count to protect from authentication replay attacks.## "post_workaround" on|off# This is a workaround to certain buggy browsers who sends# an incorrect request digest in POST requests when reusing# the same nonce as aquired earlier on a GET request.## === NTLM scheme options follow ===## "program" cmdline# Specify the command for the external ntlm authenticator.# Such a program reads a line containing the uuencoded NEGOTIATE# and replies with the ntlm CHALLENGE, then waits for the# response and answers with "OK" or "ERR" in an endless loop.# If you use an ntlm authenticator, make sure you have 1 acl# of type proxy_auth. By default, the ntlm authenticator_program# is not used.## auth_param ntlm program /usr/bin/ntlm_auth## "children" numberofchildren# The number of authenticator processes to spawn (no default).# If you start too few Squid will have to wait for them to# process a backlog of credential verifications, slowing it# down. When crendential verifications are done via a (slow)# network you are likely to need lots of authenticator# processes.# auth_param ntlm children 5## "max_challenge_reuses" number# The maximum number of times a challenge given by a ntlm# authentication helper can be reused. Increasing this number# increases your exposure to replay attacks on your network.# 0 means use the challenge only once. (disable challenge# caching) See max_ntlm_challenge_lifetime for more information.# auth_param ntlm max_challenge_reuses 0## "max_challenge_lifetime" timespan# The maximum time period that a ntlm challenge is reused# over. The actual period will be the minimum of this time# AND the number of reused challenges.# auth_param ntlm max_challenge_lifetime 2 minutes##Recommended minimum configuration:#auth_param digest program #auth_param digest children 5#auth_param digest realm Squid proxy-caching web server#auth_param digest nonce_garbage_interval 5 minutes#auth_param digest nonce_max_duration 30 minutes#auth_param digest nonce_max_count 50#auth_param ntlm program #auth_param ntlm children 5#auth_param ntlm max_challenge_reuses 0#auth_param ntlm max_challenge_lifetime 2 minutes#auth_param basic program auth_param basic children 5auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hours# TAG: authenticate_cache_garbage_interval# The time period between garbage collection across the# username cache. This is a tradeoff between memory utilisation# (long intervals - say 2 days) and CPU (short intervals -# say 1 minute). Only change if you have good reason to.##Default:# authenticate_cache_garbage_interval 1 hour# TAG: authenticate_ttl# The time a user & their credentials stay in the logged in# user cache since their last request. When the garbage# interval passes, all user credentials that have passed their# TTL are removed from memory.##Default:# authenticate_ttl 1 hour# TAG: authenticate_ip_ttl# If you use proxy authentication and the 'max_user_ip' ACL,# this directive controls how long Squid remembers the IP# addresses associated with each user. Use a small value# (e.g., 60 seconds) if your users might change addresses# quickly, as is the case with dialups. You might be safe# using a larger value (e.g., 2 hours) in a corporate LAN# environment with relatively static address assignments.##Default:# authenticate_ip_ttl 0 seconds# TAG: external_acl_type# This option defines external acl classes using a helper program# to look up the status# # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]# # Options:## ttl=n TTL in seconds for cached results (defaults to 3600# for 1 hour)# negative_ttl=n# TTL for cached negative lookups (default same# as ttl)# concurrency=n Concurrency level / number of processes spawn# to service external acl lookups of this type.# cache=n result cache size, 0 is unbounded (default)# # FORMAT specifications## %LOGIN Authenticated user login name# %IDENT Ident user name# %SRC Client IP# %DST Requested host# %PROTO Requested protocol# %PORT Requested port# %METHOD Request method# % HTTP request header# % HTTP request header list member# %# HTTP request header list member using ; as# list separator. ; can be any non-alphanumeric# character.## In addition, any string specified in the referencing acl will# also be included in the helper request line, after the specified# formats (see the "acl external" directive)## The helper receives lines per the above format specification,# and returns lines starting with OK or ERR indicating the validity# of the request and optionally followed by additional keywords with# more details.## General result syntax:# # OK/ERR keyword=value ...## Defined keywords:## user= The users name (login)# error= Error description (only defined for ERR results)## Keyword values need to be enclosed in quotes if they may contain# whitespace, or the whitespace escaped using . Any quotes or # characters within the keyword value must be escaped.##Default:# none# OPTIONS FOR TUNING THE CACHE# -----------------------------------------------------------------------------# TAG: wais_relay_host# TAG: wais_relay_port# Relay WAIS request to host (1st arg) at port (2 arg).##Default:# wais_relay_port 0# TAG: request_header_max_size (KB)# This specifies the maximum size for HTTP headers in a request.# Request headers are usually relatively small (about 512 bytes).# Placing a limit on the request header size will catch certain# bugs (for example with persistent connections) and possibly# buffer-overflow or denial-of-service attacks.##Default:# request_header_max_size 10 KB# TAG: request_body_max_size (KB)# This specifies the maximum size for an HTTP request body.# In other words, the maximum size of a PUT/POST request.# A user who attempts to send a request with a body larger# than this limit receives an "Invalid Request" error message.# If you set this parameter to a zero (the default), there will# be no limit imposed.##Default:# request_body_max_size 0 KB# TAG: refresh_pattern# usage: refresh_pattern [-i] regex min percent max [options]## By default, regular expressions are CASE-SENSITIVE. To make# them case-insensitive, use the -i option.## 'Min' is the time (in minutes) an object without an explicit# expiry time should be considered fresh. The recommended# value is 0, any higher values may cause dynamic applications# to be erroneously cached unless the application designer# has taken the appropriate actions.## 'Percent' is a percentage of the objects age (time since last# modification age) an object without explicit expiry time# will be considered fresh.## 'Max' is an upper limit on how long objects without an explicit# expiry time will be considered fresh.## options: override-expire# override-lastmod# reload-into-ims# ignore-reload## override-expire enforces min age even if the server# sent a Expires: header. Doing this VIOLATES the HTTP# standard. Enabling this feature could make you liable# for problems which it causes.## override-lastmod enforces min age even on objects# that was modified recently.## reload-into-ims changes client no-cache or ``reload''# to If-Modified-Since requests. Doing this VIOLATES the# HTTP standard. Enabling this feature could make you# liable for problems which it causes.## ignore-reload ignores a client no-cache or ``reload''# header. Doing this VIOLATES the HTTP standard. Enabling# this feature could make you liable for problems which# it causes.# # Basically a cached object is:## FRESH if expires < now, else STALE# STALE if age > max# FRESH if lm-factor < percent, else STALE# FRESH if age < min# else STALE## The refresh_pattern lines are checked in the order listed here.# The first entry which matches is used. If none of the entries# match, then the default will be used.## Note, you must uncomment all the default lines if you want# to change one. The default setting is only active if none is# used.##Suggested default:refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320# TAG: quick_abort_min (KB)# TAG: quick_abort_max (KB)# TAG: quick_abort_pct (percent)# The cache by default continues downloading aborted requests# which are almost completed (less than 16 KB remaining). This# may be undesirable on slow (e.g. SLIP) links and/or very busy# caches. Impatient users may tie up file descriptors and# bandwidth by repeatedly requesting and immediately aborting# downloads.## When the user aborts a request, Squid will check the# quick_abort values to the amount of data transfered until# then.## If the transfer has less than 'quick_abort_min' KB remaining,# it will finish the retrieval.## If the transfer has more than 'quick_abort_max' KB remaining,# it will abort the retrieval.## If more than 'quick_abort_pct' of the transfer has completed,# it will finish the retrieval.## If you do not want any retrieval to continue after the client# has aborted, set both 'quick_abort_min' and 'quick_abort_max'# to '0 KB'.## If you want retrievals to always continue if they are being# cached then set 'quick_abort_min' to '-1 KB'.##Default:# quick_abort_min 16 KB# quick_abort_max 16 KB# quick_abort_pct 95# TAG: negative_ttl time-units# Time-to-Live (TTL) for failed requests. Certain types of# failures (such as "connection refused" and "404 Not Found") are# negatively-cached for a configurable amount of time. The# default is 5 minutes. Note that this is different from# negative caching of DNS lookups.##Default:# negative_ttl 5 minutes# TAG: positive_dns_ttl time-units# Time-to-Live (TTL) for positive caching of successful DNS lookups.# Default is 6 hours (360 minutes). If you want to minimize the# use of Squid's ipcache, set this to 1, not 0.##Default:# positive_dns_ttl 6 hours# TAG: negative_dns_ttl time-units# Time-to-Live (TTL) for negative caching of failed DNS lookups.##Default:# negative_dns_ttl 5 minutes# TAG: range_offset_limit (bytes)# Sets a upper limit on how far into the the file a Range request# may be to cause Squid to prefetch the whole file. If beyond this# limit then Squid forwards the Range request as it is and the result# is NOT cached.## This is to stop a far ahead range request (lets say start at 17MB)# from making Squid fetch the whole object up to that point before# sending anything to the client.## A value of -1 causes Squid to always fetch the object from the# beginning so that it may cache the result. (2.0 style)## A value of 0 causes Squid to never fetch more than the# client requested. (default)##Default:# range_offset_limit 0 KB# TIMEOUTS# -----------------------------------------------------------------------------# TAG: connect_timeout time-units# Some systems (notably Linux) can not be relied upon to properly# time out connect(2) requests. Therefore the Squid process# enforces its own timeout on server connections. This parameter# specifies how long to wait for the connect to complete. The# default is two minutes (120 seconds).##Default:# connect_timeout 2 minutes# TAG: peer_connect_timeout time-units# This parameter specifies how long to wait for a pending TCP# connection to a peer cache. The default is 30 seconds. You# may also set different timeout values for individual neighbors# with the 'connect-timeout' option on a 'cache_peer' line.##Default:# peer_connect_timeout 30 seconds# TAG: read_timeout time-units# The read_timeout is applied on server-side connections. After# each successful read(), the timeout will be extended by this# amount. If no data is read again after this amount of time,# the request is aborted and logged with ERR_READ_TIMEOUT. The# default is 15 minutes.##Default:# read_timeout 15 minutes# TAG: request_timeout# How long to wait for an HTTP request after initial# connection establishment.##Default:# request_timeout 5 minutes# TAG: persistent_request_timeout# How long to wait for the next HTTP request on a persistent# connection after the previous request completes.##Default:# persistent_request_timeout 1 minute# TAG: client_lifetime time-units# The maximum amount of time that a client (browser) is allowed to# remain connected to the cache process. This protects the Cache# from having a lot of sockets (and hence file descriptors) tied up# in a CLOSE_WAIT state from remote clients that go away without# properly shutting down (either because of a network failure or# because of a poor client implementation). The default is one# day, 1440 minutes.## NOTE: The default value is intended to be much larger than any# client would ever need to be connected to your cache. You# should probably change client_lifetime only as a last resort.# If you seem to have many client connections tying up# filedescriptors, we recommend first tuning the read_timeout,# request_timeout, persistent_request_timeout and quick_abort values.##Default:# client_lifetime 1 day# TAG: half_closed_clients# Some clients may shutdown the sending side of their TCP# connections, while leaving their receiving sides open. Sometimes,# Squid can not tell the difference between a half-closed and a# fully-closed TCP connection. By default, half-closed client# connections are kept open until a read(2) or write(2) on the# socket returns an error. Change this option to 'off' and Squid# will immediately close client connections when read(2) returns# "no more data to read."##Default:# half_closed_clients on# TAG: pconn_timeout# Timeout for idle persistent connections to servers and other# proxies.##Default:# pconn_timeout 120 seconds# TAG: ident_timeout# Maximum time to wait for IDENT lookups to complete.# # If this is too high, and you enabled IDENT lookups from untrusted# users, then you might be susceptible to denial-of-service by having# many ident requests going at once.##Default:# ident_timeout 10 seconds# TAG: shutdown_lifetime time-units# When SIGTERM or SIGHUP is received, the cache is put into# "shutdown pending" mode until all active sockets are closed.# This value is the lifetime to set for all open descriptors# during shutdown mode. Any active clients after this many# seconds will receive a 'timeout' message.##Default:# shutdown_lifetime 30 seconds# ACCESS CONTROLS# -----------------------------------------------------------------------------# TAG: acl# Defining an Access List## acl aclname acltype string1 ...# acl aclname acltype "file" ...## when using "file", the file should contain one item per line## acltype is one of the types described below## By default, regular expressions are CASE-SENSITIVE. To make# them case-insensitive, use the -i option.## acl aclname src ip-address/netmask ... (clients IP address)# acl aclname src addr1-addr2/netmask ... (range of addresses)# acl aclname dst ip-address/netmask ... (URL host's IP address)# acl aclname myip ip-address/netmask ... (local socket IP address)## acl aclname srcdomain .foo.com ... # reverse lookup, client IP# acl aclname dstdomain .foo.com ... # Destination server from URL# acl aclname srcdom_regex [-i] xxx ... # regex matching client name# acl aclname dstdom_regex [-i] xxx ... # regex matching server# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP# # based URL is used. The name "none" is used if the reverse lookup# # fails.## acl aclname time [day-abbrevs] [h1:m1-h2:m2]# day-abbrevs:# S - Sunday# M - Monday# T - Tuesday# W - Wednesday# H - Thursday# F - Friday# A - Saturday# h1:m1 must be less than h2:m2# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL# acl aclname urlpath_regex [-i] .gif$ ... # regex matching on URL path# acl aclname port 80 70 21 ...# acl aclname port 0-1024 ... # ranges allowed# acl aclname myport 3128 ... # (local socket TCP port)# acl aclname proto HTTP FTP ...# acl aclname method GET POST ...# acl aclname browser [-i] regexp ...# # pattern match on User-Agent header# acl aclname referer_regex [-i] regexp ...# # pattern match on Referer header# # Referer is highly unreliable, so use with care# acl aclname ident username ...# acl aclname ident_regex [-i] pattern ...# # string match on ident output.# # use REQUIRED to accept any non-null ident.# acl aclname src_as number ...# acl aclname dst_as number ...# # Except for access control, AS numbers can be used for# # routing of requests to specific caches. Here's an# # example for routing all requests for AS#1241 and only# # those to mycache.mydomain.net:# # acl asexample dst_as 1241# # cache_peer_access mycache.mydomain.net allow asexample# # cache_peer_access mycache_mydomain.net deny all## acl aclname proxy_auth username ...# acl aclname proxy_auth_regex [-i] pattern ...# # list of valid usernames# # use REQUIRED to accept any valid username.# ## # NOTE: when a Proxy-Authentication header is sent but it is not# # needed during ACL checking the username is NOT logged# # in access.log.# ## # NOTE: proxy_auth requires a EXTERNAL authentication program# # to check username/password combinations (see# # auth_param directive).# ## # WARNING: proxy_auth can't be used in a transparent proxy. It# # collides with any authentication done by origin servers. It may# # seem like it works at first, but it doesn't.## acl aclname snmp_community string ...# # A community string to limit access to your SNMP Agent# # Example:# ## # acl snmppublic snmp_community public## acl aclname maxconn number# # This will be matched when the client's IP address has# # more than HTTP connections established.## acl aclname max_user_ip [-s] number# # This will be matched when the user attempts to log in from more# # than different ip addresses. The authenticate_ip_ttl# # parameter controls the timeout on the ip entries.# # If -s is specified then the limit is strict, denying browsing# # from any further IP addresses until the ttl has expired. Without# # -s Squid will just annoy the user by "randomly" denying requests.# # (the counter is then reset each time the limit is reached and a# # request is denied)# # NOTE: in acceleration mode or where there is mesh of child proxies,# # clients may appear to come from multiple addresses if they are# # going through proxy farms, so a limit of 1 may cause user problems.## acl aclname req_mime_type mime-type1 ...# # regex match agains the mime type of the request generated# # by the client. Can be used to detect file upload or some# # types HTTP tunelling requests.# # NOTE: This does NOT match the reply. You cannot use this# # to match the returned file type.## acl aclname rep_mime_type mime-type1 ...# # regex match against the mime type of the reply recieved by# # squid. Can be used to detect file download or some# # types HTTP tunelling requests.# # NOTE: This has no effect in http_access rules. It only has# # effect in rules that affect the reply data stream such as# # http_reply_access.## acl acl_name external class_name [arguments...]# # external ACL lookup via a helper class defined by the# # external_acl_type directive.##Examples:#acl myexample dst_as 1241#acl password proxy_auth REQUIRED#acl fileupload req_mime_type -i ^multipart/form-data$#acl javascript rep_mime_type -i ^application/x-javascript$##Recommended minimum configuration:acl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl to_localhost dst 127.0.0.0/8acl SSL_ports port 443 563acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT# TAG: http_access# Allowing or Denying access based on defined access lists## Access to the HTTP port:# http_access allow|deny [!]aclname ...## NOTE on default values:## If there are no "access" lines present, the default is to deny# the request.## If none of the "access" lines cause a match, the default is the# opposite of the last line in the list. If the last line was# deny, then the default is allow. Conversely, if the last line# is allow, the default will be deny. For these reasons, it is a# good idea to have an "deny all" or "allow all" entry at the end# of your access lists to avoid potential confusion.##Default:# http_access deny all##Recommended minimum configuration:## Only allow cachemgr access from localhosthttp_access allow manager localhosthttp_access deny manager# Deny requests to unknown portshttp_access deny !Safe_ports# Deny CONNECT to other than SSL portshttp_access deny CONNECT !SSL_ports## We strongly recommend to uncomment the following to protect innocent# web applications running on the proxy server who think that the only# one who can access services on "localhost" is a local user#http_access deny to_localhost## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS# Exampe rule allowing access from your local networks. Adapt# to list your (internal) IP networks from where browsing should# be allowed#acl our_networks src 192.168.1.0/24 192.168.2.0/24#http_access allow our_networks# And finally deny all other access to this proxyhttp_access allow localhosthttp_access deny all# TAG: http_reply_access# Allow replies to client requests. This is complementary to http_access.## http_reply_access allow|deny [!] aclname ...## NOTE: if there are no access lines present, the default is to allow# all replies## If none of the access lines cause a match, then the opposite of the# last line will apply. Thus it is good practice to end the rules# with an "allow all" or "deny all" entry.##Default:# http_reply_access allow all##Recommended minimum configuration:## Insert your own rules here.### and finally allow by defaulthttp_reply_access allow all# TAG: icp_access# Allowing or Denying access to the ICP port based on defined# access lists## icp_access allow|deny [!]aclname ...## See http_access for details##Default:# icp_access deny all