Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 2.4. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 2.4 Configuration Manual

<<Back

MISCELLANEOUS

Tag Name dns_testnames
Usage dns_testnames URL

Description
The DNS tests exit as soon as the first site is successfully looked up This test can be disabled with the -D command line option.

Default dns_testnames netscape.com internic.net nlanr.net microsoft.com

Example
dns_testnames visolve.com

 

Tag Name logfile_rotate
Usage logfile_rotate NUMBER

Description
Specifies the number of logfile rotations to make when you type 'squid -k rotate'. The default is 10, which will rotate with extensions 0 through 9. Setting logfile_rotate to 0 will disable the rotation, but the logfiles are still closed and re-opened. This will enable you to rename the logfiles yourself just before sending the rotate signal.

Default logfile_rotate 10

Example
logfile_rotate 5

Caution
Note, the 'squid -k rotate' command normally sends a USR1 signal to the running squid process. In certain situations (e.g. on Linux with Async I/O), USR1 is used for other purposes; so -k rotate uses another signal. It is best to get in the habit of using 'squid -k rotate' instead of 'kill -USR1 '


Tag Name append_domain
Usage append_domain domainname

Description
Appends local domain name to hostnames without any dots in them. append_domain must begin with a period

Default none

Example
append_domain .domain.com

 

Tag Name tcp_recv_bufsize
Usage tcp_recv_bufsize (bytes)

Description
Size of receive buffer to set for TCP sockets. Probably just as easy to change your kernel's default.

Default

Set to zero to use the default buffer size. By default, if this is set to zero, then it means it is using kernel's default.

tcp_recv_bufsize 0 bytes

 


Tag Name err_html_text
Usage err_html_text text

Description
This is used to specirfy the HTML text, which is to be included in error messages. Make this a "mailto" URL to your administrator address, or may be just a link to your organizations Web page.

To include this in your error messages, you must rewrite the error template files (found in the "$prefix/etc/errors" directory). Wherever you want the 'err_html_text' line to appear, insert a %L tag in the error template file

Default none

Example
err_html_text venkatesh@visolve.com

Consider you want to display this mail Id when access denied error occurs, then edit the corresponding file (ERR_ACCESS_DENIED in '$prefix/etc/errors' directory) with %L where this mail Id should be displayed.

 

Tag Name deny_info
Usage deny_info err_page_name acl

Description
This can be used to return an ERR_ page for requests, which do not pass the 'http_access' rules. A single ACL will cause the http_access check to fail. If a 'deny_info' line exists for that ACL then Squid returns a corresponding error page.

You may use ERR_ pages that come with Squid or create your own pages and put them into the configured errors/ directory

Default none

Example
If you want to deny domain 'deny.com' and want to display access denied message specifically, add these lines in conf. And add the file called ERR_CUSTOM_ACCESS_DENIED in $prefix/etc/errors/ directory with your own format.

acl DSTDOMAIN dstdomain .deny.com
http_access deny DSTDOMAIN
http_access allow all
deny_info ERR_CUSTOM_ACCESS_DENIED DSTDOMAIN
So now if users try to browse 'deny.com' they will get your defined error message



Tag Name memory_pools
Usage memory_pools on|off

Description
If set, Squid will keep pools of allocated (but unused) memory available for future use. If memory is a premium on your system and you believe your malloc library outperforms Squid routines, disable this.

Default memory_pools on

 

Tag Name memory_pools_limit
Usage memory_pools_limit (bytes)

Description
If set to a non-zero value, Squid will keep at most the specified limit of allocated (but unused) memory in memory pools. All free() requests that exceed this limit will be handled by your malloc library. Squid does not pre-allocate any memory, just safe-keeps objects that otherwise would be free()d. Thus, it is safe to set memory_pools_limit to a reasonably high value even if your configuration will use less memory.

If not set (default) or set to zero, Squid will keep all memory it can. That is, there will be no limit on the total amount of memory used for safe-keeping.

Default

none
By default, memory_pools is not set. So there is no default value for memory_pools_limit

Caution
Used only with memory_pools on: To disable memory allocation optimization, do not set memory_pools_limit to 0. Set memory_pools to "off" instead. An overhead for maintaining memory pools is not taken into account when the limit is checked. This overhead is close to four bytes per object kept. However, pools may actually _save_ memory because of reduced memory thrashing in your malloc library.


Tag Name forwarded_for
Usage forwarded_for on|off

Description
Current HTTP/1.1 does not provide any standard way of indicating the client address in the request. Since a number of people missed having the originating client address in the request, Squid now adds its own request header called "X-Forwarded-For" which looks like this: X-Forwarded-For: 192.1.2.3|unknown

If set, Squid will include your system's IP address or name in the HTTP requests it forwards. By default it looks like this:
X-Forwarded-For: 192.1.2.3
If you disable this, it will appear as X-Forwarded-For: unknown

Default forwarded_for on

 

Tag Name log_icp_queries
Usage log_icp_queries on|off

Description
If set, ICP queries are logged to access.log. You may wish to disable this if your ICP load is very high to speed things up or to simplify log analysis

Default log_icp_queries on

 

Tag Name icp_hit_stale
Usage icp_hit_stale on|off

Description
If you want to return ICP_HIT for stale cache objects, set this option to 'on'. If you have sibling relationships with caches in other administrative domains, this should be 'off'. If you only have sibling relationships with caches under your control, then it is probably okay to set this to 'on'

Default icp_hit_stale off

 

Tag Name minimum_direct_hops
Usage minimum_direct_hops NUMBER

Description
If using the ICMP pinging stuff, do direct fetches for sites which are no more than this many hops away. This parameter plays a role in deciding latency

Default minimum_direct_hops 4

 

Tag Name minimum_direct_rtt
Usage minimum_direct_rtt time-units

Description
If using the ICMP pinging stuff, do direct fetches for sites which are no more than this many rtt milliseconds away.

Default minimum_direct_rtt 400

 

Tag Name cachemgr_passwd
Usage cachemgr_passwd password action action ...

Description
This tag is used to specify passwords for cachemgr operations. Some valid actions are (see cache manager menu for a full list):

5min
60min
asndb
authenticator
cbdata
client_list
comm_incoming
config *
counters delay
digest_stats
dns
events
filedescriptors
fqdncache
histograms
http_headers
info
io
ipcache
mem menu
netdb
non_peers
objects
pconn
peer_select
redirector
refresh
server_list
shutdown *
store_digest
storedir
utilization
via_headers
vm_objects

* Indicates actions which will not be performed without a valid password, others can be performed if not listed here.

To disable an action, set the password to "disable".

To allow performing an action without a password, set the password to "none".

Use the keyword "all" to set the same password for all actions.

cachemgr_passwd secret shutdown
cachemgr_passwd lesssssssecret info stats/objects
cachemgr_passwd disable all

Default none

 

Tag Name store_avg_object_size
Usage store_avg_object_size (kbytes)

Description
Average object size, used to estimate number of objects your cache can hold. To Estimate the number of objects your cache can hold: NUM_OBJ = cache_swap / store_avg_object_size Cache_swap is the size of the cache

Default

The default is 13 KB.

store_avg_object_size 13 KB

 

Tag Name store_objects_per_bucket
Usage store_objects_per_bucket (kbytes)

Description
Target number of objects per bucket in the store hash table. Lowering this value increases the total number of buckets and also the storage maintenance rate. Then we estimate the number of hash buckets needed: NUM_BUCKETS = NUM_OBJ / store_objects_per_bucket NUM_OBJ is the number of objects your cache can hold, estimated by store_avg_object_size.

Default store_objects_per_bucket 20

Example
store_objects_per_bucket 50


Tag Name client_db
Usage client_db on|off

Description
If you want to disable collecting per-client statistics, then turn off client_db here

Default client_db on

 

Tag Name

netdb_low
netdb_high

Usage

netdb_low entries

netdb_high entries

Description
The low and high water marks for the ICMP measurement database. These are counts, not percents. The defaults are 900 and1000. When the high water mark is reached, database entries will be deleted until the low mark is reached

Default

netdb_low 900
netdb_high 1000

 

Tag Name netdb_ping_period
Usage netdb_ping_period time-units

Description
The minimum period for measuring a site. There will be at least this much delay between successive pings to the same network

Default netdb_ping_period 5 minutes

 

 

Tag Name query_icmp
Usage query_icmp on|off

Description
If you want to ask your peers to include ICMP data in their ICP replies, enable this option. If your peer has configured Squid (during compilation) with '--enable-icmp' then that peer will send ICMP pings to origin server sites of the URLs it receives. If you enable this option then the ICP replies from that peer will include the ICMP data (if available). Then, when choosing a parent cache, Squid will choose the parent with the minimal RTT to the origin server. When this happens, the hierarchy field of the access.log will be "CLOSEST_PARENT_MISS ".

Default query_icmp off

 

Tag Name test_reachability
Usage test_reachability on|off

Description
When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH instead of ICP_MISS if the target host is NOT in the ICMP database, or has a zero RTT

Default test_reachability off

 

Tag Name buffered_logs
Usage buffered_logs on|off

Description
Some log files (cache.log useragent.log) are written with stdio functions, and as such they can be buffered or unbuffered. By default they will be unbuffered. Buffering them can speed up the writing slightly (though you are unlikely to need to worry).

Default buffered_logs off

 

Tag Name reload_into_ims
Usage reload_into_ims on|off

Description
When you enable this option, client no-cache or "reload'' requests will be changed to If-Modified-Since requests. Doing this VIOLATES the HTTP standard. Enabling this feature could make you liable for problems, which it causes.

See also refresh_pattern for a more selective approach.

This option may be disabled by using --disable-http-violations with the configure script. reload_into_ims off

Default reload_into_ims off

 

Tag Name always_direct
Usage always_direct allow|deny [!]aclname ...

Description
Here you can use ACL elements to specify requests, which should ALWAYS be forwarded directly to origin servers. This is mostly used while using cache_peer. See also never_direct . For Further reference on always_direct, please click here.

Default always_direct is by default deny.

Example
For example, to always directly forward requests for local servers use something like:
acl local-servers dstdomain .my.domain.net
always_direct allow local-servers

To always forward FTP requests directly, use
acl FTP proto FTP
always_direct allow FTP

Example for denying specific domain
acl local-external dstdomain .external.foo.net
acl local-servers dstdomain .foo.net
always_direct deny local-external
always_direct allow local-servers

Caution
There is a similar, but opposite option named ' never_direct'. You need to be aware that "always_direct deny foo" is NOT the same thing as "never_direct allow foo". You may need to use a deny rule to exclude a more-specific case of some other rule.

 

Tag Name never_direct
Usage never_direct allow|deny [!]aclname ...

Description
never_direct is the opposite of always_direct. Please read the description for always_direct if you have not already.

With 'never_direct' you can use ACL elements to specify requests, which should NEVER be forwarded directly to origin servers

When always_direct and never_direct are deny (By default), Squid selects based on the request type and a number of other factors if a parent should be used or not, and if a parent could not be reached it will always fallback on direct.

If always_direct is allow then Squid will always go direct to the source without considering any peers.

If never_direct is allow then Squid will never attempt to go direct to the source. Instead it tries very hard to find a parent to send the request to. If no parent can be found then an error is returned. For Further reference on never_direct, please click here.

Default never_direct is by default deny.

Example
For example, to force the use of a proxy for all requests, except those in your local domain use something like:

acl local-servers dstdomain foo.net
acl all src 0.0.0.0/0.0.0.0
never_direct deny local-servers
never_direct allow all

or if squid is inside a firewall and there are local intranet servers inside the firewall then use something like:

acl local-intranet dstdomain .foo.net
acl local-external dstdomain .external.foo.net
always_direct deny local-external
always_direct allow local-intranet
never_direct allow all

Caution
It will be better to understand always_direct before enabling this tag

 

Tag Name anonymize_headers
Usage anonymize_headers allow|deny header_name ...

Description
This option replaces the old 'http_anonymizer' option with something that is much more configurable. You may now specify exactly which headers are to be allowed, or which are to be removed from outgoing requests.

There are two methods of using this option. You may either allow specific headers (thus denying all others), or you may deny specific headers (thus allowing all others).

For example, to achieve the same behavior as the old 'http_anonymizer standard' option, you should use:

anonymize_headers deny From Referer Server
anonymize_headers deny User-Agent WWW-Authenticate Link

Or, to reproduce the old 'http_anonymizer paranoid' feature you should use:

anonymize_headers allow Allow Authorization Cache-Control
anonymize_headers allow Content-Encoding Content-Length
anonymize_headers allow Content-Type Date Expires Host
anonymize_headers allow If-Modified-Since Last-Modified
anonymize_headers allow Location Pragma Accept
anonymize_headers allow Accept-Encoding Accept-Language
anonymize_headers allow Content-Language Mime-Version
anonymize_headers allow Retry-After Title Connection
anonymize_headers allow Proxy-Connection

Default By default, all headers are allowed (no anonymizing is performed).

Example
anonymize_headers deny Proxy-Connection

Caution
You cannot mix "allow" and "deny". All 'anonymize_headers' lines must have the same second argument.

 

Tag Name fake_user_agent
Usage fake_user_agent String

Description
If you filter the User-Agent header with ' anonymize_headers' it may cause some Web servers to refuse your request. Use this to fake one up.

Default none

Example
fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)

 

Tag Name icon_directory
Usage icon_directory directorypath/directoryname

Description
This tag is to specify the location where the icons are stored

Default These are normally kept in /usr/local/squid/etc/icons

Example
icon_directory /etc/icons

 

Tag Name error_directory
Usage error_directory directorypath/directoryname

Description
If you wish to create your own versions of the default (English) error files, either to customize them to suit your language or company, copy the template English files to another directory and point this tag at them

Default These are normally kept in /usr/local/squid/etc/errors

Example
icon_directory /etc/errors

 

Tag Name minimum_retry_timeout
Usage minimum_retry_timeout (seconds)

Description
This specifies the minimum connect timeout, when the connect timeout is reduced to compensate for the availability of multiple IP addresses. When a connection to a host is initiated, and that host has several IP addresses, the default connection timeout is reduced by dividing it by the number of addresses. So, a site with15 addresses would then have a timeout of 8 seconds for each address attempted. To avoid having the timeout reduced to the point where even a working host would not have a chance to respond, this setting is provided.

Default

The default, and the minimum value, is five seconds, and the maximum value is sixty seconds, or half of connect_timeout, which ever is greater and less than connect_timeout.

minimum_retry_timeout 5 seconds

 

Tag Name maximum_single_addr_tries
Usage maximum_single_addr_tries NUMBER

Description
This sets the maximum number of connection attempts for a host that only has one address (for multiple-address hosts, each address is tried once)

Default

The default value is three tries, the (not recommended) maximum is 255 tries.

maximum_single_addr_tries 3

Caution
A warning message will be generated if it is set to a value greater than ten

 

Tag Name snmp_port
Usage snmp_port port

Description
Squid can now serve statistics and status information via SNMP. If you don't wish to use SNMP, set this to "0".

The snmpd daemon is a server that supports both the Simple Network Management Protocol v2 and v1. It receives and responds to SNMP messages sent to the SNMP port on the local machine. snmpd.conf is the configuration file which defines how the ucd-smnp SNMP agent operates.

Default By default it listens to port 3401 on the machine. snmp_port 3401

Caution
SNMP support requires use of the --enable-snmp configure command line option

 

Tag Name snmp_access
Usage snmp_access allow|deny [!]aclname ...

Description
Allowing or denying access to the SNMP port. This option is only available if Squid is rebuilt with the --enable-snmp option

Default All access to the agent is denied by default.

Example
snmp_access allow snmppublic localhost
snmp_access deny all

 

Tag Name

snmp_incoming_address
snmp_outgoing_address

Usage

snmp_incoming_address IPAddress
snmp_outgoing_address IPAddress

Description
Just like 'udp_incoming_address' above, but for the SNMP port. This option is only available if Squid is rebuilt with the--enable-snmp option

snmp_incoming_address is used for the SNMP socket receiving messages from SNMP agents. snmp_outgoing_address is used for SNMP packets returned to SNMP agents.

Default

The default behavior is to not bind to any specific address. snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255

Example
snmp_incoming_address 172.16.1.115
snmp_outgoing_address 172.16.1.114

Caution
snmp_incoming_address and snmp_outgoing_address cannot have the same value since they both use port 3130.

 

Tag Name as_whois_server
Usage as_whois_server Server-Name

Description
WHOIS server to query for AS numbers. NOTE: AS numbers are queried only when Squid starts up, not for every request.

Default as_whois_server whois.ra.net

 

Tag Name wccp_router
Usage wccp_router Router-IPAddress

Description
This option is used to define the WCCP ``home'' router for Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) disables WCCP

Default wccp_router 0.0.0.0

 

Tag Name wccp_version
Usage wccp_version Version

Description
According to some users, Cisco IOS 11.2 only supports WCCP version 3. If you're using that version of IOS, change this value to 3.

Default wccp_version 4

 

Tag Name wccp_incoming_address
Usage wccp_incoming_address IPAddress

Description
Use this option if you require WCCP messages to be received on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface

Default

The default behavior is to not bind to any specific address
wccp_incoming_address 0.0.0.0

Caution
wccp_incoming_address and wccp_outgoing_address cannot have the same value since they both use port 2048.

 

Tag Name wccp_outgoing_address
Usage wccp_outgoing_address IPAddress

Description
Use this option if you require WCCP messages to be sent out on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface

Default wccp_outgoing_address 255.255.255.255
(The default behavior is to not bind to any specific address)

Caution
wccp_incoming_address and wccp_outgoing_address cannot have the same value since they both use port 2048.

 

<<Back
 

All rights reserved.
All trademarks used in this document are owned by their respective companies. This document makes no ownership claim of any trademark(s). If you wish to have your trademark removed from this document, please contact the copyright holder. No disrespect is meant by any use of other companies? trademarks in this document.
Note: The pages on this website cannot be duplicated on to another site. Copying and usage of the contents for personal and corporate purposes is acceptable. In near future, it will be released under the GNU Free Documentation License.
 
 
Revision No:0.0  
Last Modified By: ViSolve Date: July 30 2006