MISCELLANEOUS
Description
The DNS tests exit as soon as the first site is successfully
looked up This test can be disabled with the -D command line
option.
Default |
dns_testnames netscape.com internic.net
nlanr.net microsoft.com |
Example
dns_testnames visolve.com
|
Usage |
logfile_rotate NUMBER |
Description
Specifies the number of logfile rotations to make when you
type 'squid -k rotate'. The default is 10, which will rotate
with extensions 0 through 9. Setting logfile_rotate to 0 will
disable the rotation, but the logfiles are still closed and
re-opened. This will enable you to rename the logfiles yourself
just before sending the rotate signal.
Default |
logfile_rotate 10 |
Example
logfile_rotate 5
Caution
Note, the 'squid -k rotate' command normally sends a USR1
signal to the running squid process. In certain situations
(e.g. on Linux with Async I/O), USR1 is used for other purposes;
so -k rotate uses another signal. It is best to get in the
habit of using 'squid -k rotate' instead of 'kill -USR1 '
|
Usage |
append_domain domainname |
Description
Appends local domain name to hostnames without any dots in
them. append_domain must begin with a period
Example
append_domain .domain.com
|
Tag Name |
tcp_recv_bufsize |
Usage |
tcp_recv_bufsize (bytes) |
Description
Size of receive buffer to set for TCP sockets. Probably just
as easy to change your kernel's default.
Default |
Set to zero to use the default buffer
size. By default, if this is set to zero, then it means
it is using kernel's default.
tcp_recv_bufsize 0 bytes
|
|
Description
This is used to specirfy the HTML text, which is to be included
in error messages. Make this a "mailto" URL to your administrator
address, or may be just a link to your organizations Web page.
To include this in your error messages,
you must rewrite the error template files (found in the "$prefix/etc/errors"
directory). Wherever you want the 'err_html_text' line to
appear, insert a %L tag in the error template file
Example
err_html_text venkatesh@visolve.com
Consider you want to display this
mail Id when access denied error occurs, then edit the corresponding
file (ERR_ACCESS_DENIED in '$prefix/etc/errors' directory)
with %L where this mail Id should be displayed.
|
Usage |
deny_info err_page_name acl |
Description
This can be used to return an ERR_ page for requests, which
do not pass the 'http_access' rules. A single ACL will cause
the http_access check to fail. If a 'deny_info' line exists
for that ACL then Squid returns a corresponding error page.
You may use ERR_ pages that come with Squid
or create your own pages and put them into the configured
errors/ directory
Example
If you want to deny domain 'deny.com' and want to display
access denied message specifically, add these lines in conf.
And add the file called ERR_CUSTOM_ACCESS_DENIED in $prefix/etc/errors/
directory with your own format.
acl DSTDOMAIN dstdomain .deny.com
http_access deny DSTDOMAIN
http_access allow all
deny_info ERR_CUSTOM_ACCESS_DENIED DSTDOMAIN
So now if users try to browse 'deny.com' they will get your
defined error message
|
Usage |
memory_pools on|off |
Description
If set, Squid will keep pools of allocated (but unused) memory
available for future use. If memory is a premium on your system
and you believe your malloc library outperforms Squid routines,
disable this.
|
Tag Name |
memory_pools_limit |
Usage |
memory_pools_limit (bytes) |
Description
If set to a non-zero value, Squid will keep at most the specified
limit of allocated (but unused) memory in memory pools. All
free() requests that exceed this limit will be handled by
your malloc library. Squid does not pre-allocate any memory,
just safe-keeps objects that otherwise would be free()d. Thus,
it is safe to set memory_pools_limit to a reasonably high
value even if your configuration will use less memory.
If not set (default) or set to zero, Squid
will keep all memory it can. That is, there will be no limit
on the total amount of memory used for safe-keeping.
Default |
none
By default, memory_pools is
not set. So there is no default value for memory_pools_limit
|
Caution
Used only with memory_pools
on: To disable memory allocation optimization, do not set
memory_pools_limit to 0. Set memory_pools to "off" instead.
An overhead for maintaining memory pools is not taken into
account when the limit is checked. This overhead is close
to four bytes per object kept. However, pools may actually
_save_ memory because of reduced memory thrashing in your
malloc library.
|
Usage |
forwarded_for on|off |
Description
Current HTTP/1.1 does not provide any standard way of indicating
the client address in the request. Since a number of people
missed having the originating client address in the request,
Squid now adds its own request header called "X-Forwarded-For"
which looks like this: X-Forwarded-For: 192.1.2.3|unknown
If set, Squid will include your system's
IP address or name in the HTTP requests it forwards. By default
it looks like this:
X-Forwarded-For: 192.1.2.3
If you disable this, it will appear as X-Forwarded-For: unknown
|
Usage |
log_icp_queries on|off |
Description
If set, ICP queries are logged to access.log.
You may wish to disable this if your ICP load is very high
to speed things up or to simplify log analysis
Default |
log_icp_queries on |
|
Usage |
icp_hit_stale on|off |
Description
If you want to return ICP_HIT for stale cache objects, set
this option to 'on'. If you have sibling relationships with
caches in other administrative domains, this should be 'off'.
If you only have sibling relationships with caches under your
control, then it is probably okay to set this to 'on'
Default |
icp_hit_stale off |
|
Tag Name |
minimum_direct_hops |
Usage |
minimum_direct_hops NUMBER |
Description
If using the ICMP pinging stuff, do direct fetches for sites
which are no more than this many hops away. This parameter
plays a role in deciding latency
Default |
minimum_direct_hops 4 |
|
Tag Name |
minimum_direct_rtt |
Usage |
minimum_direct_rtt time-units |
Description
If using the ICMP pinging stuff, do direct fetches for sites
which are no more than this many rtt milliseconds away.
Default |
minimum_direct_rtt 400 |
|
Usage |
cachemgr_passwd password action action
... |
Description
This tag is used to specify passwords for cachemgr operations.
Some valid actions are (see cache manager menu for a full
list):
5min
60min
asndb
authenticator
cbdata
client_list
comm_incoming
config *
counters delay
digest_stats
dns
events
filedescriptors
fqdncache
histograms
http_headers
info
io
ipcache
mem menu
netdb
non_peers
objects
pconn
peer_select
redirector
refresh
server_list
shutdown *
store_digest
storedir
utilization
via_headers
vm_objects
* Indicates actions which will not
be performed without a valid password, others can be performed
if not listed here.
To disable an action, set the password
to "disable".
To allow performing an action without
a password, set the password to "none".
Use the keyword "all" to set the
same password for all actions.
cachemgr_passwd secret shutdown
cachemgr_passwd lesssssssecret info stats/objects
cachemgr_passwd disable all
|
Tag Name |
store_avg_object_size |
Usage |
store_avg_object_size (kbytes) |
Description
Average object size, used to estimate number of objects your
cache can hold. To Estimate the number of objects your cache
can hold: NUM_OBJ = cache_swap / store_avg_object_size Cache_swap
is the size of the cache
Default |
The default is 13 KB.
store_avg_object_size 13 KB
|
|
Tag Name |
store_objects_per_bucket |
Usage |
store_objects_per_bucket (kbytes) |
Description
Target number of objects per bucket in the store hash table.
Lowering this value increases the total number of buckets
and also the storage maintenance rate. Then we estimate the
number of hash buckets needed: NUM_BUCKETS = NUM_OBJ / store_objects_per_bucket
NUM_OBJ is the number of objects your cache can hold, estimated
by store_avg_object_size.
Default |
store_objects_per_bucket 20 |
Example
store_objects_per_bucket 50
|
Description
If you want to disable collecting per-client statistics, then
turn off client_db here
|
Tag Name |
netdb_low
netdb_high
|
Usage |
netdb_low entries
netdb_high entries
|
Description
The low and high water marks for the ICMP measurement database.
These are counts, not percents. The defaults are 900 and1000.
When the high water mark is reached, database entries will
be deleted until the low mark is reached
Default |
netdb_low 900
netdb_high 1000
|
|
Tag Name |
netdb_ping_period |
Usage |
netdb_ping_period time-units |
Description
The minimum period for measuring a site. There will be at
least this much delay between successive pings to the same
network
Default |
netdb_ping_period 5 minutes |
|
Description
If you want to ask your peers to include ICMP data in their
ICP replies, enable this option. If your peer has configured
Squid (during compilation) with '--enable-icmp' then that
peer will send ICMP pings to origin server sites of the URLs
it receives. If you enable this option then the ICP replies
from that peer will include the ICMP data (if available).
Then, when choosing a parent cache, Squid will choose the
parent with the minimal RTT to the origin server. When this
happens, the hierarchy field of the access.log
will be "CLOSEST_PARENT_MISS
".
|
Tag Name |
test_reachability |
Usage |
test_reachability on|off |
Description
When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
instead of ICP_MISS if the target host is NOT in the ICMP
database, or has a zero RTT
Default |
test_reachability off |
|
Usage |
buffered_logs on|off |
Description
Some log files (cache.log
useragent.log) are written with
stdio functions, and as such they can be buffered or unbuffered.
By default they will be unbuffered. Buffering them can speed
up the writing slightly (though you are unlikely to need to
worry).
Default |
buffered_logs off |
|
Usage |
reload_into_ims on|off |
Description
When you enable this option, client no-cache or "reload''
requests will be changed to If-Modified-Since requests. Doing
this VIOLATES the HTTP standard. Enabling this feature could
make you liable for problems, which it causes.
See also refresh_pattern for a
more selective approach.
This option may be disabled by using --disable-http-violations
with the configure script. reload_into_ims off
Default |
reload_into_ims off |
|
Usage |
always_direct allow|deny [!]aclname ... |
Description
Here you can use ACL elements to specify requests, which should
ALWAYS be forwarded directly to origin servers. This is mostly
used while using cache_peer.
See also never_direct
. For Further reference on always_direct, please click here.
Default |
always_direct is by default deny. |
Example
For example, to always directly forward requests for local
servers use something like:
acl
local-servers dstdomain .my.domain.net
always_direct allow local-servers
To always forward FTP requests directly,
use
acl FTP proto FTP
always_direct allow FTP
Example for denying specific domain
acl local-external dstdomain .external.foo.net
acl local-servers dstdomain .foo.net
always_direct deny local-external
always_direct allow local-servers
Caution
There is a similar, but opposite option
named ' never_direct'. You need to be aware that "always_direct
deny foo" is NOT the same thing as "never_direct allow foo".
You may need to use a deny rule to exclude a more-specific
case of some other rule.
|
Usage |
never_direct allow|deny [!]aclname ...
|
Description
never_direct is the opposite of always_direct. Please read
the description for always_direct
if you have not already.
With 'never_direct' you can use ACL elements
to specify requests, which should NEVER be forwarded directly
to origin servers
When always_direct and never_direct are
deny (By default), Squid selects based on the request type
and a number of other factors if a parent should be used or
not, and if a parent could not be reached it will always fallback
on direct.
If always_direct is allow then Squid will
always go direct to the source without considering any peers.
If never_direct is allow then Squid will
never attempt to go direct to the source. Instead it tries
very hard to find a parent to send the request to. If no parent
can be found then an error is returned. For Further reference
on never_direct, please click here.
Default |
never_direct is by default deny. |
Example
For example, to force the use of a proxy for all requests,
except those in your local domain use something like:
acl local-servers dstdomain foo.net
acl all src 0.0.0.0/0.0.0.0
never_direct deny local-servers
never_direct allow all
or if squid is inside a firewall and there
are local intranet servers inside the firewall then use something
like:
acl local-intranet dstdomain .foo.net
acl local-external dstdomain .external.foo.net
always_direct deny local-external
always_direct allow local-intranet
never_direct allow all
Caution
It will be better to understand always_direct before enabling
this tag
|
Tag Name |
anonymize_headers |
Usage |
anonymize_headers allow|deny header_name
... |
Description
This option replaces the old 'http_anonymizer' option with
something that is much more configurable. You may now specify
exactly which headers are to be allowed, or which are to be
removed from outgoing requests.
There are two methods of using this option. You may either
allow specific headers (thus denying all others), or you may
deny specific headers (thus allowing all others).
For example, to achieve the same behavior as the old 'http_anonymizer
standard' option, you should use:
anonymize_headers deny From Referer Server
anonymize_headers deny User-Agent WWW-Authenticate Link
Or, to reproduce the old 'http_anonymizer
paranoid' feature you should use:
anonymize_headers allow Allow Authorization
Cache-Control
anonymize_headers allow Content-Encoding Content-Length
anonymize_headers allow Content-Type Date Expires Host
anonymize_headers allow If-Modified-Since Last-Modified
anonymize_headers allow Location Pragma Accept
anonymize_headers allow Accept-Encoding Accept-Language
anonymize_headers allow Content-Language Mime-Version
anonymize_headers allow Retry-After Title Connection
anonymize_headers allow Proxy-Connection
Default |
By default, all headers are allowed (no
anonymizing is performed). |
Example
anonymize_headers deny Proxy-Connection
Caution
You cannot mix "allow" and "deny". All 'anonymize_headers'
lines must have the same second argument.
|
Usage |
fake_user_agent String |
Description
If you filter the User-Agent header with ' anonymize_headers'
it may cause some Web servers to refuse your request. Use
this to fake one up.
Example
fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
|
Usage |
icon_directory directorypath/directoryname |
Description
This tag is to specify the location where the icons are stored
Default |
These are normally kept in /usr/local/squid/etc/icons |
Example
icon_directory /etc/icons
|
Usage |
error_directory directorypath/directoryname |
Description
If you wish to create your own versions of the default (English)
error files, either to customize them to suit your language
or company, copy the template English files to another directory
and point this tag at them
Default |
These are normally kept in /usr/local/squid/etc/errors |
Example
icon_directory /etc/errors
|
Tag Name |
minimum_retry_timeout |
Usage |
minimum_retry_timeout (seconds) |
Description
This specifies the minimum connect timeout, when the connect
timeout is reduced to compensate for the availability of multiple
IP addresses. When a connection to a host is initiated, and
that host has several IP addresses, the default connection
timeout is reduced by dividing it by the number of addresses.
So, a site with15 addresses would then have a timeout of 8
seconds for each address attempted. To avoid having the timeout
reduced to the point where even a working host would not have
a chance to respond, this setting is provided.
Default |
The default, and the minimum value, is five seconds,
and the maximum value is sixty seconds, or half of connect_timeout,
which ever is greater and less than connect_timeout.
minimum_retry_timeout 5 seconds
|
|
Tag Name |
maximum_single_addr_tries |
Usage |
maximum_single_addr_tries NUMBER |
Description
This sets the maximum number of connection attempts for a
host that only has one address (for multiple-address hosts,
each address is tried once)
Default |
The default value is three tries, the (not recommended)
maximum is 255 tries.
maximum_single_addr_tries 3
|
Caution
A warning message will be generated if it is set to a value
greater than ten
|
Description
Squid can now serve statistics and status information via
SNMP. If you don't wish to use SNMP, set this to "0".
The snmpd daemon is a server that supports
both the Simple Network Management Protocol v2 and v1. It
receives and responds to SNMP messages sent to the SNMP port
on the local machine. snmpd.conf is the configuration file
which defines how the ucd-smnp SNMP agent operates.
Default |
By default it listens to port 3401 on
the machine. snmp_port 3401 |
Caution
SNMP support requires use of the --enable-snmp configure command
line option
|
Usage |
snmp_access allow|deny [!]aclname ... |
Description
Allowing or denying access to the SNMP port. This option is
only available if Squid is rebuilt with the --enable-snmp
option
Default |
All access to the agent is denied by default.
|
Example
snmp_access allow snmppublic localhost
snmp_access
deny all
|
Tag Name |
snmp_incoming_address
snmp_outgoing_address
|
Usage |
snmp_incoming_address IPAddress
snmp_outgoing_address IPAddress
|
Description
Just like 'udp_incoming_address' above, but for the SNMP port.
This option is only available if Squid is rebuilt with the--enable-snmp
option
snmp_incoming_address is used for the SNMP
socket receiving messages from SNMP agents. snmp_outgoing_address
is used for SNMP packets returned to SNMP agents.
Default |
The default behavior is to not bind
to any specific address. snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255
|
Example
snmp_incoming_address 172.16.1.115
snmp_outgoing_address
172.16.1.114
Caution
snmp_incoming_address and snmp_outgoing_address cannot have
the same value since they both use port 3130.
|
Usage |
as_whois_server Server-Name |
Description
WHOIS server to query for AS numbers. NOTE: AS numbers are
queried only when Squid starts up, not for every request.
Default |
as_whois_server whois.ra.net |
|
Usage |
wccp_router Router-IPAddress |
Description
This option is used to define the WCCP ``home'' router for
Squid. Setting the 'wccp_router' to 0.0.0.0 (the default)
disables WCCP
Default |
wccp_router 0.0.0.0 |
|
Usage |
wccp_version Version |
Description
According to some users, Cisco IOS 11.2 only supports WCCP
version 3. If you're using that version of IOS, change this
value to 3.
|
Tag Name |
wccp_incoming_address |
Usage |
wccp_incoming_address IPAddress |
Description
Use this option if you require WCCP messages to be received
on only one interface. Do NOT use this option if you're unsure
how many interfaces you have, or if you know you have only
one interface
Default |
The default behavior is to not bind
to any specific address
wccp_incoming_address 0.0.0.0
|
Caution
wccp_incoming_address and wccp_outgoing_address cannot have
the same value since they both use port 2048.
|
Tag Name |
wccp_outgoing_address |
Usage |
wccp_outgoing_address IPAddress |
Description
Use this option if you require WCCP messages to be sent out
on only one interface. Do NOT use this option if you're unsure
how many interfaces you have, or if you know you have only
one interface
Default |
wccp_outgoing_address 255.255.255.255
(The default behavior is to not
bind to any specific address) |
Caution
wccp_incoming_address and wccp_outgoing_address cannot have
the same value since they both use port 2048.
|
|