2106 lines
73 KiB
Python
2106 lines
73 KiB
Python
# -*- coding: utf-8; mode: python -*-
|
||
|
||
import sre
|
||
|
||
include("ip")
|
||
|
||
@# $Id: squid.conf,v 1.33 2007-11-29 17:56:26 vallantin-dulac Exp $
|
||
@#
|
||
@# WELCOME TO SQUID 2
|
||
@# ------------------
|
||
@#
|
||
@# This is the default Squid configuration file. You may wish
|
||
@# to look at http://cache.is.co.za/squid/ for documentation,
|
||
@# or the Squid home page (http://squid.nlanr.net/) for the FAQ.
|
||
@#
|
||
@# The default Squid config file shows what the defaults for
|
||
@# various options happen to be. If you don't need to change the
|
||
@# default, you shouldn't uncomment the line. Doing so may cause
|
||
@# run-time problems. In some cases "none" refers to no default
|
||
@# setting at all, whilst in other cases it refers to a valid
|
||
@# option - the comments for that keyword indicate if this is the
|
||
@# case.
|
||
@#
|
||
@
|
||
@
|
||
@# NETWORK OPTIONS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: http_port
|
||
@# The port number where Squid will listen for HTTP client
|
||
@# requests. Default is 3128, for httpd-accel mode use port 80.
|
||
@# May be overridden with -a on the command line.
|
||
@#
|
||
@# You may specify multiple ports here, but they MUST all be on
|
||
@# a single line.
|
||
@#
|
||
@http_port 3128 transparent
|
||
@http_port 8118
|
||
@
|
||
@# TAG: icp_port
|
||
@# The port number where Squid sends and receives ICP requests to
|
||
@# and from neighbor caches. Default is 3130. To disable use
|
||
@# "0". May be overridden with -u on the command line.
|
||
@#
|
||
@#icp_port 3130
|
||
@
|
||
@# TAG: htcp_port
|
||
@# The port number where Squid sends and receives ICP requests to
|
||
@# and from neighbor caches. Default is 4827. To disable use
|
||
@# "0".
|
||
@#
|
||
@# To enable this option, you must use --enable-htcp with the
|
||
@# configure script.
|
||
@#htcp_port 0
|
||
@
|
||
@# TAG: mcast_groups
|
||
@# This tag specifies a list of multicast groups which your server
|
||
@# should join to receive multicasted ICP requests.
|
||
@#
|
||
@# NOTE! Be very careful what you put here! Be sure you
|
||
@# understand the difference between an ICP _query_ and an ICP
|
||
@# _reply_. This option is to be set only if you want to RECEIVE
|
||
@# multicast queries. Do NOT set this option to SEND multicast
|
||
@# ICP (use cache_peer for that). ICP replies are always sent via
|
||
@# unicast, so this option does not affect whether or not you will
|
||
@# receive replies from multicast group members.
|
||
@#
|
||
@# You must be very careful to NOT use a multicast address which
|
||
@# is already in use by another group of caches. NLANR has been
|
||
@# assigned a block of multicast address space for use in Web
|
||
@# Caching. Plese write to us at nlanr-cache@nlanr.net to receive
|
||
@# an address for your own use.
|
||
@#
|
||
@# If you are unsure about multicast, please read the Multicast
|
||
@# chapter in the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/).
|
||
@#
|
||
@# Usage: mcast_groups 239.128.16.128 224.0.1.20
|
||
@#
|
||
@# By default, Squid doesn't listen on any multicast groups.
|
||
@#
|
||
@#mcast_groups 239.128.16.128
|
||
@
|
||
@# TAG: tcp_incoming_address
|
||
@# TAG: tcp_outgoing_address
|
||
@# TAG: udp_incoming_address
|
||
@# TAG: udp_outgoing_address
|
||
@# Usage: tcp_incoming_address 10.20.30.40
|
||
@# udp_outgoing_address fully.qualified.domain.name
|
||
@#
|
||
@# tcp_incoming_address is used for the HTTP socket which accepts
|
||
@# connections from clients and other caches.
|
||
@# tcp_outgoing_address is used for connections made to remote
|
||
@# servers and other caches.
|
||
@# udp_incoming_address is used for the ICP socket receiving packets
|
||
@# from other caches.
|
||
@# udp_outgoing_address is used for ICP packets sent out to other
|
||
@# caches.
|
||
@#
|
||
@# The default behaviour is to not bind to any specific address.
|
||
@#
|
||
@# NOTE, udp_incoming_address and udp_outgoing_address can not
|
||
@# have the same value (unless it is 0.0.0.0) since they both use
|
||
@# port 3130.
|
||
@#
|
||
@#tcp_incoming_address 0.0.0.0 #on commente la ligne pour passage <20> squid 2.3.4
|
||
@#cette valeur n'est plus reconnue
|
||
@#tcp_outgoing_address 138.231.136.10
|
||
@#udp_incoming_address 0.0.0.0
|
||
@#udp_outgoing_address 138.231.136.10
|
||
@
|
||
@# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: cache_peer
|
||
@# To specify other caches in a hierarchy, use the format:
|
||
@#
|
||
@# hostname type http_port icp_port
|
||
@#
|
||
@# For example,
|
||
@#
|
||
@# # proxy icp
|
||
@# # hostname type port port options
|
||
@# # -------------------- -------- ----- ----- -----------
|
||
@# cache_peer parent.foo.net parent 3128 3130 [proxy-only]
|
||
@# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
|
||
@# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
|
||
@#
|
||
@# type: either 'parent', 'sibling', or 'multicast'.
|
||
@#
|
||
@# proxy_port: The port number where the cache listens for proxy
|
||
@# requests.
|
||
@#
|
||
@# icp_port: Used for querying neighbor caches about
|
||
@# objects. To have a non-ICP neighbor
|
||
@# specify '7' for the ICP port and make sure the
|
||
@# neighbor machine has the UDP echo port
|
||
@# enabled in its /etc/inetd.conf file.
|
||
@#
|
||
@# options: proxy-only
|
||
@# weight=n
|
||
@# ttl=n
|
||
@# no-query
|
||
@# default
|
||
@# round-robin
|
||
@# multicast-responder
|
||
@# closest-only
|
||
@# no-digest
|
||
@# no-netdb-exchange
|
||
@# no-delay
|
||
@# login=user:password
|
||
@#
|
||
@# use 'proxy-only' to specify that objects fetched
|
||
@# from this cache should not be saved locally.
|
||
@#
|
||
@# use 'weight=n' to specify a weighted parent.
|
||
@# The weight must be an integer. The default weight
|
||
@# is 1, larger weights are favored more.
|
||
@#
|
||
@# use 'ttl=n' to specify a IP multicast TTL to use
|
||
@# when sending an ICP request to this address.
|
||
@# Only useful when sending to a multicast group.
|
||
@# Because we don't accept ICP replies from random
|
||
@# hosts, you must configure other group members as
|
||
@# peers with the 'multicast-responder' option below.
|
||
@#
|
||
@# use 'no-query' to NOT send ICP queries to this
|
||
@# neighbor.
|
||
@#
|
||
@# use 'default' if this is a parent cache which can
|
||
@# be used as a "last-resort." You should probably
|
||
@# only use 'default' in situations where you cannot
|
||
@# use ICP with your parent cache(s).
|
||
@#
|
||
@# use 'round-robin' to define a set of parents which
|
||
@# should be used in a round-robin fashion in the
|
||
@# absence of any ICP queries.
|
||
@#
|
||
@# 'multicast-responder' indicates that the named peer
|
||
@# is a member of a multicast group. ICP queries will
|
||
@# not be sent directly to the peer, but ICP replies
|
||
@# will be accepted from it.
|
||
@#
|
||
@# 'closest-only' indicates that, for ICP_OP_MISS
|
||
@# replies, we'll only forward CLOSEST_PARENT_MISSes
|
||
@# and never FIRST_PARENT_MISSes.
|
||
@#
|
||
@# use 'no-digest' to NOT request cache digests from
|
||
@# this neighbor.
|
||
@#
|
||
@# 'no-netdb-exchange' disables requesting ICMP
|
||
@# RTT database (NetDB) from the neighbor.
|
||
@#
|
||
@# use 'no-delay' to prevent access to this neighbor
|
||
@# from influencing the delay pools.
|
||
@#
|
||
@# use 'login=user:password' if this is a personal/workgroup
|
||
@# proxy and your parent requires proxy authentication.
|
||
@#
|
||
@# NOTE: non-ICP neighbors must be specified as 'parent'.
|
||
@#
|
||
@#cache_peer hostname type 3128 3130
|
||
@
|
||
@# TAG: cache_peer_domain
|
||
@# Use to limit the domains for which a neighbor cache will be
|
||
@# queried. Usage:
|
||
@#
|
||
@# cache_peer_domain cache-host domain [domain ...]
|
||
@# cache_peer_domain cache-host !domain
|
||
@#
|
||
@# For example, specifying
|
||
@#
|
||
@# cache_peer_domain parent.foo.net .edu
|
||
@#
|
||
@# has the effect such that UDP query packets are sent to
|
||
@# 'bigserver' only when the requested object exists on a
|
||
@# server in the .edu domain. Prefixing the domainname
|
||
@# with '!' means that the cache will be queried for objects
|
||
@# NOT in that domain.
|
||
@#
|
||
@# NOTE: * Any number of domains may be given for a cache-host,
|
||
@# either on the same or separate lines.
|
||
@# * When multiple domains are given for a particular
|
||
@# cache-host, the first matched domain is applied.
|
||
@# * Cache hosts with no domain restrictions are queried
|
||
@# for all requests.
|
||
@# * There are no defaults.
|
||
@# * There is also a 'cache_peer_access' tag in the ACL
|
||
@# section.
|
||
@
|
||
@# TAG: neighbor_type_domain
|
||
@# usage: neighbor_type_domain parent|sibling domain domain ...
|
||
@#
|
||
@# Modifying the neighbor type for specific domains is now
|
||
@# possible. You can treat some domains differently than the the
|
||
@# default neighbor type specified on the 'cache_peer' line.
|
||
@# Normally it should only be necessary to list domains which
|
||
@# should be treated differently because the default neighbor type
|
||
@# applies for hostnames which do not match domains listed here.
|
||
@#
|
||
@#EXAMPLE:
|
||
@# cache_peer parent cache.foo.org 3128 3130
|
||
@# neighbor_type_domain cache.foo.org sibling .com .net
|
||
@# neighbor_type_domain cache.foo.org sibling .au .de
|
||
@
|
||
@# TAG: icp_query_timeout (msec)
|
||
@# Normally Squid will automatically determine an optimal ICP
|
||
@# query timeout value based on the round-trip-time of recent ICP
|
||
@# queries. If you want to override the value determined by
|
||
@# Squid, set this 'icp_query_timeout' to a non-zero value. This
|
||
@# value is specified in MILLISECONDS, so, to use a 2-second
|
||
@# timeout (the old default), you would write:
|
||
@#
|
||
@# icp_query_timeout 2000
|
||
@#
|
||
@#icp_query_timeout 0
|
||
@
|
||
@# TAG: mcast_icp_query_timeout (msec)
|
||
@# For Multicast peers, Squid regularly sends out ICP "probes" to
|
||
@# count how many other peers are listening on the given multicast
|
||
@# address. This value specifies how long Squid should wait to
|
||
@# count all the replies. The default is 2000 msec, or 2
|
||
@# seconds.
|
||
@#
|
||
@#mcast_icp_query_timeout 2000
|
||
@
|
||
@# TAG: dead_peer_timeout (seconds)
|
||
@# This controls how long Squid waits to declare a peer cache
|
||
@# as "dead." If there are no ICP replies received in this
|
||
@# amount of time, Squid will declare the peer dead and not
|
||
@# expect to receive any further ICP replies. However, it
|
||
@# continues to send ICP queries, and will mark the peer as
|
||
@# alive upon receipt of the first subsequent ICP reply.
|
||
@#
|
||
@# This timeout also affects when Squid expects to receive ICP
|
||
@# replies from peers. If more than 'dead_peer' seconds have
|
||
@# passed since the last ICP reply was received, Squid will not
|
||
@# expect to receive an ICP reply on the next query. Thus, if
|
||
@# your time between requests is greater than this timeout, you
|
||
@# will see a lot of requests sent DIRECT to origin servers
|
||
@# instead of to your parents.
|
||
@#
|
||
@#dead_peer_timeout 10 seconds
|
||
@
|
||
@# TAG: hierarchy_stoplist
|
||
@# A list of words which, if found in a URL, cause the object to
|
||
@# be handled directly by this cache. In other words, use this
|
||
@# to not query neighbor caches for certain objects. You may
|
||
@# list this option multiple times.
|
||
@#
|
||
@# The default is to directly fetch URLs containing 'cgi-bin' or '?'.
|
||
@#
|
||
@#hierarchy_stoplist cgi-bin ?
|
||
@
|
||
@# TAG: no_cache
|
||
@# A list of ACL elements which, if matched, cause the reply to
|
||
@# immediately removed from the cache. In other words, use this
|
||
@# to force certain objects to never be cached.
|
||
@#
|
||
@# You must use the word 'DENY' to indicate the ACL names which should
|
||
@# NOT be cached.
|
||
@#
|
||
@# There is no default. We recommend you uncomment the following
|
||
@# two lines.
|
||
@#
|
||
@acl QUERY urlpath_regex cgi-bin \?
|
||
@no_cache deny QUERY
|
||
@
|
||
@acl local dst 138.231.136.0/255.255.248.0
|
||
@no_cache deny local
|
||
@
|
||
@acl local dst 10.231.136.0/255.255.248.0
|
||
@no_cache deny local
|
||
@
|
||
@# OPTIONS WHICH AFFECT THE CACHE SIZE
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: cache_mem (bytes)
|
||
@# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS
|
||
@# SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY
|
||
@# USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL.
|
||
@# YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES
|
||
@# BIGGER THAN THE VALUE YOU PUT HERE
|
||
@#
|
||
@# 'cache_mem' specifies the ideal amount of memory to be used
|
||
@# for:
|
||
@# * In-Transit objects
|
||
@# * Hot Objects
|
||
@# * Negative-Cached objects
|
||
@#
|
||
@# Data for these objects are stored in 4 KB blocks. This
|
||
@# parameter specifies the ideal upper limit on the total size of
|
||
@# 4 KB blocks allocated. In-Transit objects take the highest
|
||
@# priority.
|
||
@#
|
||
@# In-transit objects have priority over the others. When
|
||
@# additional space is needed for incoming data, negative-cached
|
||
@# and hot objects will be released. In other words, the
|
||
@# negative-cached and hot objects will fill up any unused space
|
||
@# not needed for in-transit objects.
|
||
@#
|
||
@# If circumstances require, this limit will be exceeded.
|
||
@# Specifically, if your incoming request rate requires more than
|
||
@# 'cache_mem' of memory to hold in-transit objects, Squid will
|
||
@# exceed this limit to satisfy the new requests. When the load
|
||
@# decreases, blocks will be freed until the high-water mark is
|
||
@# reached. Thereafter, blocks will be used to store hot
|
||
@# objects.
|
||
@#
|
||
@# The values of cache_mem_low and cache_mem_high (below) can be
|
||
@# used to tune the use of the memory pool. When the high mark is
|
||
@# reached, in-transit and hot objects will be released to clear
|
||
@# space. When an object transfer is completed, it will remain in
|
||
@# memory only if the current memory usage is below the low water
|
||
@# mark.
|
||
@#
|
||
@# The default is 8 Megabytes.
|
||
@#
|
||
@# cache_mem 120 MB
|
||
@# Sila fait trop d'IO, il faut lui laisser cacher les IO -- Vince
|
||
@# Rajout de 256Mo de RAM donc on remonte un peu le cache_mem. -- Nico
|
||
@cache_mem 600 MB
|
||
@
|
||
@# TAG: cache_swap_low (percent, 0-100)
|
||
@# TAG: cache_swap_high (percent, 0-100)
|
||
@# The low- and high-water marks for cache LRU replacement. LRU
|
||
@# replacement begins when the high-water mark is reached and ends
|
||
@# when enough objects have been removed and the low-water mark is
|
||
@# reached. Defaults are 90% and 95%. If you have a large cache, 5%
|
||
@# could be hundreds of MB. If this is the case you may wish to
|
||
@# set these numbers closer together.
|
||
@#
|
||
@#cache_swap_low 90
|
||
@#cache_swap_high 95
|
||
@
|
||
@# TAG: maximum_object_size (bytes)
|
||
@# Objects larger than this size will NOT be saved on disk. The
|
||
@# value is specified in kilobytes, and the default is 4MB. If
|
||
@# you wish to get a high BYTES hit ratio, you should probably
|
||
@# increase this (one 32 MB object hit counts for 3200 10KB
|
||
@# hits). If you wish to increase speed more than your want to
|
||
@# save bandwidth you should leave this low.
|
||
@#
|
||
@maximum_object_size 750 MB
|
||
@
|
||
@# TAG: ipcache_size (number of entries)
|
||
@# TAG: ipcache_low (percent)
|
||
@# TAG: ipcache_high (percent)
|
||
@# The size, low-, and high-water marks for the IP cache.
|
||
@#
|
||
@ipcache_size 2048
|
||
@#ipcache_low 90
|
||
@#ipcache_high 95
|
||
@
|
||
@# TAG: fqdncache_size (number of entries)
|
||
@# Maximum number of FQDN cache entries.
|
||
@fqdncache_size 2048
|
||
@
|
||
@
|
||
@# LOGFILE PATHNAMES AND CACHE DIRECTORIES
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: cache_dir
|
||
@# Usage:
|
||
@#
|
||
@# cache_dir Directory-Name Mbytes Level-1 Level2
|
||
@#
|
||
@# You can specify multiple cache_dir lines to spread the
|
||
@# cache among different disk partitions.
|
||
@#
|
||
@# 'Directory' is a top-level directory where cache swap
|
||
@# files will be stored. If you want to use an entire disk
|
||
@# for caching, then this can be the mount-point directory.
|
||
@# The directory must exist and be writable by the Squid
|
||
@# process. Squid will NOT create this directory for you.
|
||
@#
|
||
@# If no 'cache_dir' lines are specified, the following
|
||
@# default will be used: /var/spool/squid.
|
||
@#
|
||
@# 'Mbytes' is the amount of disk space (MB) to use under this
|
||
@# directory. The default is 100 MB. Change this to suit your
|
||
@# configuration.
|
||
@#
|
||
@# 'Level-1' is the number of first-level subdirectories which
|
||
@# will be created under the 'Directory'. The default is 16.
|
||
@#
|
||
@# 'Level-2' is the number of second-level subdirectories which
|
||
@# will be created under each first-level directory. The default
|
||
@# is 256.
|
||
@#
|
||
@# RQUE: 'ufs' est n<>cessaire depuis peu. Limite: pr<70>voir un peu d'overhead,
|
||
@# et <20>viter d'utiliser un disque trop rempli.
|
||
@# la FAQ conseille 80% de la taille de la partition.
|
||
@cache_dir aufs /var/spool/squid1 16000 64 256
|
||
@cache_dir aufs /var/spool/squid2 16000 64 256
|
||
@
|
||
@# TAG: cache_access_log
|
||
@# Logs the client request activity. Contains an entry for
|
||
@# every HTTP and ICP request received.
|
||
@#
|
||
@cache_access_log /var/log/squid/access.log
|
||
@
|
||
@# TAG: cache_log
|
||
@# Cache logging file. This is where general information about
|
||
@# your cache's behaviour goes. You can increase the amount of data
|
||
@# logged to this file with the "debug_options" tag below.
|
||
@#
|
||
@#cache_log /var/log/squid/cache.log
|
||
@
|
||
@# TAG: cache_store_log
|
||
@# Logs the activities of the storage manager. Shows which
|
||
@# objects are ejected from the cache, and which objects are
|
||
@# saved and for how long. To disable, enter "none". There are
|
||
@# not really utilities to analyse this data, so you can safely
|
||
@# disable it.
|
||
@#
|
||
@#cache_store_log /var/log/squid/store.log
|
||
@
|
||
@# TAG: cache_swap_log
|
||
@# Location for the cache "swap.log." This log file holds the
|
||
@# metadata of objects saved on disk. It is used to rebuild the
|
||
@# cache during startup. Normally this file resides in the first
|
||
@# 'cache_dir' directory, but you may specify an alternate
|
||
@# pathname here. Note you must give a full filename, not just
|
||
@# a directory. Since this is the index for the whole object
|
||
@# list you CANNOT periodically rotate it!
|
||
@#
|
||
@# If you have more than one 'cache_dir', these swap logs will
|
||
@# have names such as:
|
||
@#
|
||
@# cache_swap_log.00
|
||
@# cache_swap_log.01
|
||
@# cache_swap_log.02
|
||
@#
|
||
@# The numbered extension (which is added automatically)
|
||
@# corresponds to the order of the 'cache_dir' lines in this
|
||
@# configuration file. If you change the order of the 'cache_dir'
|
||
@# lines in this file, then these log files will NOT correspond to
|
||
@# the correct 'cache_dir' entry (unless you manually rename
|
||
@# them). We recommend that you do NOT use this option. It is
|
||
@# better to keep these log files in each 'cache_dir' directory.
|
||
@#
|
||
@#cache_swap_log
|
||
@
|
||
@# TAG: emulate_httpd_log on|off
|
||
@# The Cache can emulate the log file format which many 'httpd'
|
||
@# programs use. To disable/enable this emulation, set
|
||
@# emulate_httpd_log to 'off' or 'on'. The default
|
||
@# is to use the native log format since it includes useful
|
||
@# information that Squid-specific log analysers use.
|
||
@#
|
||
@#emulate_httpd_log off
|
||
@
|
||
@# TAG: mime_table
|
||
@# Pathname to Squid's MIME table. You shouldn't need to change
|
||
@# this, but the default file contains examples and formatting
|
||
@# information if you do.
|
||
@#
|
||
@#mime_table /usr/lib/squid/mime.conf
|
||
@
|
||
@# TAG: log_mime_hdrs on|off
|
||
@# The Cache can record both the request and the response MIME
|
||
@# headers for each HTTP transaction. The headers are encoded
|
||
@# safely and will appear as two bracketed fields at the end of
|
||
@# the access log (for either the native or httpd-emulated log
|
||
@# formats). To enable this logging set log_mime_hdrs to 'on'.
|
||
@#
|
||
@#log_mime_hdrs off
|
||
@
|
||
@# TAG: useragent_log
|
||
@# If configured with the "--enable-useragent_log" configure
|
||
@# option, Squid will write the User-Agent field from HTTP
|
||
@# requests to the filename specified here. By default
|
||
@# useragent_log is disabled.
|
||
@#
|
||
@#useragent_log none
|
||
@
|
||
@# TAG: pid_filename
|
||
@# A filename to write the process-id to. To disable, enter "none".
|
||
@#
|
||
@#pid_filename /var/run/squid.pid
|
||
@
|
||
@# TAG: debug_options
|
||
@# Logging options are set as section,level where each source file
|
||
@# is assigned a unique section. Lower levels result in less
|
||
@# output, Full debugging (level 9) can result in a very large
|
||
@# log file, so be careful. The magic word "ALL" sets debugging
|
||
@# levels for all sections. We recommend normally running with
|
||
@# "ALL,1".
|
||
@#
|
||
@#debug_options ALL,1
|
||
@
|
||
@# TAG: log_fqdn on|off
|
||
@# Turn this on if you wish to log fully qualified domain names
|
||
@# in the access.log. To do this Squid does a DNS lookup of all
|
||
@# IP's connecting to it. This can (in some situations) increase
|
||
@# latency, which makes your cache seem slower for interactive
|
||
@# browsing.
|
||
@#
|
||
@#log_fqdn off
|
||
@
|
||
@# TAG: client_netmask
|
||
@# A netmask for client addresses in logfiles and cachemgr output.
|
||
@# Change this to protect the privacy of your cache clients.
|
||
@# A netmask of 255.255.255.0 will log all IP's in that range with
|
||
@# the last digit set to '0'.
|
||
@#
|
||
@#client_netmask 255.255.255.255
|
||
@
|
||
@
|
||
@# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: ftp_user
|
||
@# If you want the anonymous login password to be more informative
|
||
@# (and enable the use of picky ftp servers), set this to something
|
||
@# resonable for your domain, like wwwuser@somewhere.net
|
||
@#
|
||
@# The reason why this is domainless by default is that the
|
||
@# request can be made on the behalf of a user in any domain,
|
||
@# depending on how the cache is used.
|
||
@# Some ftp server also validate that the email address is valid
|
||
@# (for example perl.com).
|
||
@#
|
||
@#ftp_user Squid@
|
||
@
|
||
@# TAG: ftp_list_width
|
||
@# Sets the width of ftp listings. This should be set to fit in
|
||
@# the width of a standard browser. Setting this too small
|
||
@# can cut off long filenames when browsing ftp sites.
|
||
@#
|
||
@ftp_list_width 60
|
||
@
|
||
@# TAG: cache_dns_program
|
||
@# Specify the location of the executable for dnslookup process.
|
||
@#
|
||
@#cache_dns_program /usr/lib/squid/dnsserver
|
||
@
|
||
@# TAG: dns_children
|
||
@# The number of processes spawn to service DNS name lookups.
|
||
@# For heavily loaded caches on large servers, you should
|
||
@# probably increase this value to at least 10. The maximum
|
||
@# is 32. The default is 5.
|
||
@#
|
||
@# To disable dnsservers, set this to 0. NOTE, this is very
|
||
@# strongly discouraged. If you disable dnsservers your Squid
|
||
@# process will BLOCK on DNS lookups!
|
||
@#
|
||
@#NOT IN 2.3#dns_children 10
|
||
@
|
||
@# TAG: dns_defnames on|off
|
||
@# Normally the 'dnsserver' disables the RES_DEFNAMES resolver
|
||
@# option (see res_init(3)). This prevents caches in a hierarchy
|
||
@# from interpreting single-component hostnames locally. To allow
|
||
@# dnsserver to handle single-component names, enable this
|
||
@# option.
|
||
@#
|
||
@#NOT IN 2.3#dns_defnames on
|
||
@
|
||
@# TAG: dns_nameservers
|
||
@# Use this if you want to specify a list of DNS name servers
|
||
@# (IP addresses) to use instead of those given in your
|
||
@# /etc/resolv.conf file.
|
||
@#
|
||
@# Example: dns_nameservers 10.0.0.1 192.172.0.4
|
||
@#
|
||
@#dns_nameservers none
|
||
@
|
||
@# TAG: unlinkd_program
|
||
@# Specify the location of the executable for file deletion process.
|
||
@# This isn't needed if you are using async-io since it's handled by
|
||
@# a thread.
|
||
@#
|
||
@#unlinkd_program /usr/lib/squid/unlinkd
|
||
@
|
||
@# TAG: pinger_program
|
||
@# Specify the location of the executable for the pinger process.
|
||
@# This is only useful if you configured Squid (during compliation)
|
||
@# with the '--enable-icmp' option.
|
||
@#
|
||
@#pinger_program /usr/lib/squid/pinger
|
||
@
|
||
@# TAG: redirect_program
|
||
@# Specify the location of the executable for the URL redirector.
|
||
@# Since they can perform almost any function there isn't one included.
|
||
@# See the Release-Notes for information on how to write one.
|
||
@# By default, a redirector is not used.
|
||
@#
|
||
@#redirect_program none
|
||
@#redirect_program /usr/lib/squid/jesred
|
||
@
|
||
@# TAG: redirect_children
|
||
@# The number of redirector processes to spawn. If you start
|
||
@# too few Squid will have to wait for them to process a backlog of
|
||
@# URLs, slowing it down. If you start too many they will use RAM
|
||
@# and other system resources.
|
||
@#
|
||
@#redirect_children 5
|
||
@# 20 c'est trop peu, squid se plaint. Nico 11/10/02
|
||
@redirect_children 32
|
||
@
|
||
@# TAG: redirect_rewrites_host_header
|
||
@# By default Squid rewrites any Host: header in redirected requests.
|
||
@# If you are running a accelerator then this may not be a wanted effect
|
||
@# of a redirector.
|
||
@#redirect_rewrites_host_header on
|
||
@
|
||
@# TAG: authenticate_program
|
||
@# Specify the command for the external authenticator. Such a
|
||
@# program reads a line containing "username password" and replies
|
||
@# "OK" or "ERR" in an endless loop. If you use an authenticator,
|
||
@# make sure you have 1 acl of type proxy_auth. By default, the
|
||
@# authenticator_program is not used.
|
||
@#
|
||
@# If you want to use the traditional proxy authentication,
|
||
@# jump over to the ../auth_modules/NCSA directory and
|
||
@# type:
|
||
@# % make
|
||
@# % make install
|
||
@#
|
||
@# Then, set this line to something like
|
||
@#
|
||
@# authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd
|
||
@#
|
||
@#authenticate_program none
|
||
@
|
||
@# TAG: authenticate_children
|
||
@# The number of authenticator processes to spawn (default 5). If you
|
||
@# start too few Squid will have to wait for them to process a backlog
|
||
@# of usercode/password verifications, slowing it down. When password
|
||
@# verifications are done via a (slow) network you are likely to need
|
||
@# lots of authenticator processes.
|
||
@#
|
||
@#authenticate_children 5
|
||
@
|
||
@# TAG: authenticate_ttl
|
||
@# The time a checked username/password combination remains cached
|
||
@# (default 3600). If a wrong password is given for a cached user,
|
||
@# the user gets removed from the username/password cache forcing
|
||
@# a revalidation.
|
||
@#
|
||
@#authenticate_ttl 3600
|
||
@
|
||
@
|
||
@# OPTIONS FOR TUNING THE CACHE
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: wais_relay_host
|
||
@# TAG: wais_relay_port
|
||
@# Relay WAIS request to host (1st arg) at port (2 arg).
|
||
@#
|
||
@#wais_relay_host localhost
|
||
@#wais_relay_port 8000
|
||
@
|
||
@# TAG: request_size (KB)
|
||
@# Maximum allowed request size in kilobytes. If people are using
|
||
@# POST to upload files, then set this to the largest acceptable
|
||
@# filesize plus a few extra kbytes.
|
||
@# Cette option n'existe plus dans squid 2.3 et + : cf. request_header_max_size et
|
||
@# request_body_max_size. Je les rajoute donc dans la section qui suit
|
||
@#request_size 100 KB
|
||
@
|
||
@# TAG: request_header_max_size (KB)
|
||
@# This specifies the maximum size for HTTP headers in a request.
|
||
@# Request headers are usually relatively small (about 512 bytes).
|
||
@# Placing a limit on the request header size will catch certain
|
||
@# bugs (for example with persistent connections) and possibly
|
||
@# buffer-overflow or denial-of-service attacks.
|
||
@#
|
||
@#Default:
|
||
@# request_header_max_size 10 KB
|
||
@
|
||
@# TAG: request_body_max_size (KB)
|
||
@# This specifies the maximum size for an HTTP request body.
|
||
@# In other words, the maximum size of a PUT/POST request.
|
||
@# A user who attempts to send a request with a body larger
|
||
@# than this limit receives an "Invalid Request" error message.
|
||
@# If you set this parameter to a zero, there will be no limit
|
||
@# imposed.
|
||
@# Cette option est n<>cessaire pour faire certains envois de fichiers
|
||
@# sur des serveurs. Nico 6.04.02
|
||
@#Default:
|
||
@# request_body_max_size 1 MB
|
||
@request_body_max_size 20 MB
|
||
@
|
||
@
|
||
@
|
||
@# TAG: refresh_pattern
|
||
@# usage: refresh_pattern [-i] regex min percent max [options]
|
||
@#
|
||
@# By default, regular expressions are CASE-SENSITIVE. To make
|
||
@# them case-insensitive, use the -i option.
|
||
@#
|
||
@# min and max are specified in MINUTES.
|
||
@# percent is an integer number.
|
||
@#
|
||
@# options: override-expire
|
||
@# override-lastmod
|
||
@# reload-into-ims
|
||
@# ignore-reload
|
||
@#
|
||
@# override-expire enforces min age even if the server
|
||
@# sent a Expires: header. Doing this VIOLATES the HTTP
|
||
@# standard. Enabling this feature could make you liable
|
||
@# for problems which it causes.
|
||
@#
|
||
@# override-lastmod enforces min age even on objects
|
||
@# that was modified recently.
|
||
@#
|
||
@# reload-into-ims changes client no-cache or ``reload''
|
||
@# to If-Modified-Since requests. Doing this VIOLATES the
|
||
@# HTTP standard. Enabling this feature could make you
|
||
@# liable for problems which it causes.
|
||
@#
|
||
@# ignore-reload ignores a client no-cache or ``reload''
|
||
@# header. Doing this VIOLATES the HTTP standard. Enabling
|
||
@# this feature could make you liable for problems which
|
||
@# it causes.
|
||
@#
|
||
@# Please see the file doc/Release-Notes-1.1.txt for a full
|
||
@# description of Squid's refresh algorithm. Basically a
|
||
@# cached object is: (the order is changed from 1.1.X)
|
||
@#
|
||
@# FRESH if expires < now, else STALE
|
||
@# STALE if age > max
|
||
@# FRESH if lm-factor < percent, else STALE
|
||
@# FRESH if age < min
|
||
@# else STALE
|
||
@#
|
||
@# The refresh_pattern lines are checked in the order listed here.
|
||
@# The first entry which matches is used. If none of the entries
|
||
@# match, then the default will be used.
|
||
@#
|
||
@#Default:
|
||
@#refresh_pattern ^ftp: 1440 20% 10080
|
||
@#refresh_pattern ^gopher: 1440 0% 1440
|
||
@#refresh_pattern . 0 20% 4320
|
||
@
|
||
@# TAG: reference_age
|
||
@# As a part of normal operation, Squid performs Least Recently
|
||
@# Used removal of cached objects. The LRU age for removal is
|
||
@# computed dynamically, based on the amount of disk space in
|
||
@# use. The dynamic value can be seen in the Cache Manager 'info'
|
||
@# output.
|
||
@#
|
||
@# The 'reference_age' parameter defines the maximum LRU age. For
|
||
@# example, setting reference_age to '1 week' will cause objects
|
||
@# to be removed if they have not been accessed for a week or
|
||
@# more. The default value is one month.
|
||
@#
|
||
@# Specify a number here, followed by units of time. For example:
|
||
@# 1 week
|
||
@# 3.5 days
|
||
@# 4 months
|
||
@# 2.2 hours
|
||
@#
|
||
@#reference_age 1 month
|
||
@
|
||
@# TAG: quick_abort_min (KB)
|
||
@# TAG: quick_abort_max (KB)
|
||
@# TAG: quick_abort_pct (percent)
|
||
@# The cache can be configured to continue downloading aborted
|
||
@# requests. This may be undesirable on slow (e.g. SLIP) links
|
||
@# and/or very busy caches. Impatient users may tie up file
|
||
@# descriptors and bandwidth by repeatedly requesting and
|
||
@# immediately aborting downloads.
|
||
@#
|
||
@# When the user aborts a request, Squid will check the
|
||
@# quick_abort values to the amount of data transfered until
|
||
@# then.
|
||
@#
|
||
@# If the transfer has less than 'quick_abort_min' KB remaining,
|
||
@# it will finish the retrieval. Setting 'quick_abort_min' to -1
|
||
@# will disable the quick_abort feature.
|
||
@#
|
||
@# If the transfer has more than 'quick_abort_max' KB remaining,
|
||
@# it will abort the retrieval.
|
||
@#
|
||
@# If more than 'quick_abort_pct' of the transfer has completed,
|
||
@# it will finish the retrieval.
|
||
@#
|
||
@#quick_abort_min 16 KB
|
||
@#quick_abort_max 16 KB
|
||
@#quick_abort_pct 95
|
||
@
|
||
@# TAG: negative_ttl time-units
|
||
@# Time-to-Live (TTL) for failed requests. Certain types of
|
||
@# failures (such as "connection refused" and "404 Not Found") are
|
||
@# negatively-cached for a configurable amount of time. The
|
||
@# default is 5 minutes. Note that this is different from
|
||
@# negative caching of DNS lookups.
|
||
@#
|
||
@#negative_ttl 5 minutes
|
||
@
|
||
@# TAG: positive_dns_ttl time-units
|
||
@# Time-to-Live (TTL) for positive caching of successful DNS lookups.
|
||
@# Default is 6 hours (360 minutes). If you want to minimize the
|
||
@# use of Squid's ipcache, set this to 1, not 0.
|
||
@#
|
||
@#positive_dns_ttl 6 hours
|
||
@
|
||
@# TAG: negative_dns_ttl time-units
|
||
@# Time-to-Live (TTL) for negative caching of failed DNS lookups.
|
||
@#
|
||
@#negative_dns_ttl 5 minutes
|
||
@
|
||
@# TAG: range_offset_limit (bytes)
|
||
@# Sets a upper limit on how far into the the file a Range request
|
||
@# may be to cause Squid to prefetch the whole file. If beyond this
|
||
@# limit then Squid forwards the Range request as it is and the result
|
||
@# is NOT cached.
|
||
@#
|
||
@# This is to stop a far ahead range request (lets say start at 17MB)
|
||
@# from making Squid fetch the whole object up to that point before
|
||
@# sending anything to the client.
|
||
@#
|
||
@# A value of -1 causes Squid to always fetch the object from the
|
||
@# beginning so that it may cache the result. (2.0 style)
|
||
@#
|
||
@# A value of 0 causes Squid to never fetch more than the client
|
||
@# client requested. (default)
|
||
@#
|
||
@#range_offset_limit 0 KB
|
||
@
|
||
@
|
||
@# TIMEOUTS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: connect_timeout time-units
|
||
@# Some systems (notably Linux) can not be relied upon to properly
|
||
@# time out connect(2) requests. Therefore the Squid process
|
||
@# enforces its own timeout on server connections. This parameter
|
||
@# specifies how long to wait for the connect to complete. The
|
||
@# default is two minutes (120 seconds).
|
||
@#
|
||
@#connect_timeout 120 seconds
|
||
@
|
||
@# TAG: siteselect_timeout time-units
|
||
@# For URN to multiple URL's URL selection
|
||
@#
|
||
@#siteselect_timeout 4 seconds
|
||
@
|
||
@# TAG: read_timeout time-units
|
||
@# The read_timeout is applied on server-side connections. After
|
||
@# each successful read(), the timeout will be extended by this
|
||
@# amount. If no data is read again after this amount of time,
|
||
@# the request is aborted and logged with ERR_READ_TIMEOUT. The
|
||
@# default is 15 minutes.
|
||
@#
|
||
@#read_timeout 15 minutes
|
||
@
|
||
@# TAG: request_timeout
|
||
@# How long to wait for an HTTP request after connection
|
||
@# establishment. For persistent connections, wait this long
|
||
@# after the previous request completes.
|
||
@#
|
||
@#request_timeout 30 seconds
|
||
@
|
||
@# TAG: client_lifetime time-units
|
||
@# The maximum amount of time that a client (browser) is allowed to
|
||
@# remain connected to the cache process. This protects the Cache
|
||
@# from having alot of sockets (and hence file descriptors) tied up
|
||
@# in a CLOSE_WAIT state from remote clients that go away without
|
||
@# properly shutting down (either because of a network failure or
|
||
@# because of a poor client implementation). The default is one
|
||
@# day, 1440 minutes.
|
||
@#
|
||
@# NOTE: The default value is intended to be much larger than any
|
||
@# client would ever need to be connected to your cache. You
|
||
@# should probably change client_lifetime only as a last resort.
|
||
@# If you seem to have many client connections tying up
|
||
@# filedescriptors, we recommend first tuning the read_timeout,
|
||
@# request_timeout, pconn_timeout and quick_abort values.
|
||
@#
|
||
@#client_lifetime 1 day
|
||
@
|
||
@# TAG: half_closed_clients
|
||
@# Some clients may shutdown the sending side of their TCP
|
||
@# connections, while leaving their receiving sides open. Sometimes,
|
||
@# Squid can not tell the difference between a half-closed and a
|
||
@# fully-closed TCP connection. By default, half-closed client
|
||
@# connections are kept open until a read(2) or write(2) on the
|
||
@# socket returns an error. Change this option to 'off' and Squid
|
||
@# will immediately close client connections when read(2) returns
|
||
@# "no more data to read."
|
||
@#
|
||
@#half_closed_clients on
|
||
@
|
||
@# TAG: pconn_timeout
|
||
@# Timeout for idle persistent connections to servers and other
|
||
@# proxies.
|
||
@#pconn_timeout 120 seconds
|
||
@
|
||
@# TAG: ident_timeout
|
||
@# Maximum time to wait for IDENT requests. If this is too high,
|
||
@# and you enabled 'ident_lookup', then you might be susceptible
|
||
@# to denial-of-service by having many ident requests going at
|
||
@# once.
|
||
@#
|
||
@# This option may be disabled by using --disable-ident with
|
||
@# the configure script.
|
||
@#ident_timeout 10 seconds
|
||
@
|
||
@# TAG: shutdown_lifetime time-units
|
||
@# When SIGTERM or SIGHUP is received, the cache is put into
|
||
@# "shutdown pending" mode until all active sockets are closed.
|
||
@# This value is the lifetime to set for all open descriptors
|
||
@# during shutdown mode. Any active clients after this many
|
||
@# seconds will receive a 'timeout' message.
|
||
@#
|
||
@#shutdown_lifetime 30 seconds
|
||
@
|
||
@
|
||
@# ACCESS CONTROLS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: acl
|
||
@# Defining an Access List
|
||
@#
|
||
@# acl aclname acltype string1 ...
|
||
@# acl aclname acltype "file" ...
|
||
@#
|
||
@# when using "file", the file should contain one item per line
|
||
@#
|
||
@# acltype is one of src dst srcdomain dstdomain url_pattern
|
||
@# urlpath_pattern time port proto method browser user
|
||
@#
|
||
@# By default, regular expressions are CASE-SENSITIVE. To make
|
||
@# them case-insensitive, use the -i option.
|
||
@#
|
||
@# acl aclname src ip-address/netmask ... (clients IP address)
|
||
@# acl aclname src addr1-addr2/netmask ... (range of addresses)
|
||
@# acl aclname dst ip-address/netmask ... (URL host's IP address)
|
||
@# acl aclname myip ip-address/netmask ... (local socket IP address)
|
||
@#
|
||
@# acl aclname srcdomain foo.com ... # reverse lookup, client IP
|
||
@# acl aclname dstdomain foo.com ... # Destination server from URL
|
||
@# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
|
||
@# acl aclname dstdom_regex [-i] xxx ... # regex matching server
|
||
@# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
|
||
@# # based URL is used. The name "none" is used if the reverse lookup
|
||
@# # fails.
|
||
@#
|
||
@# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
|
||
@# day-abbrevs:
|
||
@# S - Sunday
|
||
@# M - Monday
|
||
@# T - Tuesday
|
||
@# W - Wednesday
|
||
@# H - Thursday
|
||
@# F - Friday
|
||
@# A - Saturday
|
||
@# h1:m1 must be less than h2:m2
|
||
@# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
|
||
@# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
|
||
@# acl aclname port 80 70 21 ...
|
||
@# acl aclname port 0-1024 ... # ranges allowed
|
||
@# acl aclname proto HTTP FTP ...
|
||
@# acl aclname method GET POST ...
|
||
@# acl aclname browser [-i] regexp
|
||
@# # pattern match on User-Agent header
|
||
@# acl aclname ident username ...
|
||
@# # string match on ident output.
|
||
@# # use REQUIRED to accept any non-null ident.
|
||
@# acl aclname src_as number ...
|
||
@# acl aclname dst_as number ...
|
||
@# # Except for access control, AS numbers can be used for
|
||
@# # routing of requests to specific caches. Here's an
|
||
@# # example for routing all requests for AS#1241 and only
|
||
@# # those to mycache.mydomain.net:
|
||
@# # acl asexample dst_as 1241
|
||
@# # cache_peer_access mycache.mydomain.net allow asexample
|
||
@# # cache_peer_access mycache_mydomain.net deny all
|
||
@#
|
||
@# acl aclname proxy_auth username ...
|
||
@# # list of valid usernames
|
||
@# # use REQUIRED to accept any valid username.
|
||
@# #
|
||
@# # NOTE: when a Proxy-Authentication header is sent but it is not
|
||
@# # needed during ACL checking the username is NOT logged
|
||
@# # in access.log.
|
||
@# #
|
||
@# # NOTE: proxy_auth requires a EXTERNAL authentication program
|
||
@# # to check username/password combinations (see
|
||
@# # authenticate_program).
|
||
@# #
|
||
@# # WARNING: proxy_auth can't be used in a transparent proxy. It
|
||
@# # collides with any authentication done by origin servers. It may
|
||
@# # seem like it works at first, but it doesn't.
|
||
@#
|
||
@# acl aclname snmp_community string ...
|
||
@# # A community string to limit access to your SNMP Agent
|
||
@# # Example:
|
||
@# #
|
||
@# # acl snmppublic snmp_community public
|
||
@#
|
||
@#
|
||
@#Examples:
|
||
@#acl myexample dst_as 1241
|
||
@#acl password proxy_auth REQUIRED
|
||
@#
|
||
@#Defaults:
|
||
@acl all src 0.0.0.0/0.0.0.0
|
||
@acl manager proto cache_object
|
||
@acl localhost src 127.0.0.1/255.255.255.255
|
||
print "acl proxy src %s/255.255.255.255" % pubip('proxy');
|
||
@acl CRANS src 138.231.136.0/255.255.248.0
|
||
@acl WIFI src 138.231.144.0/255.255.248.0
|
||
@acl ADM src 10.231.136.0/255.255.255.0
|
||
@acl SSL_ports port 443 563
|
||
@acl Safe_ports port 80 21 443 563 70 210 1025-65535
|
||
@acl purge method PURGE
|
||
@acl CONNECT method CONNECT
|
||
@acl snmppublic snmp_community squidadmin
|
||
@acl HTTP proto HTTP
|
||
@acl FTP proto FTP
|
||
print "acl GOTO_PROXY dst %s/255.255.255.255" % pubip('proxy');
|
||
@acl ports_interdits port 445
|
||
@acl no_pub myport 8118
|
||
@
|
||
@# On limite un bug d'un logiciel windows : 1 t<>l<EFBFBD>chargement/s par programme
|
||
@# qui r<>cup<75>re un fichier xml contenant un n<> de version
|
||
@#acl DESKTOPFW.WEATHER dst 63.111.69.15
|
||
@
|
||
@# TAG: http_access
|
||
@# Allowing or Denying access based on defined access lists
|
||
@#
|
||
@# Access to the HTTP port:
|
||
@# http_access allow|deny [!]aclname ...
|
||
@#
|
||
@# Access to the ICP port:
|
||
@# icp_access allow|deny [!]aclname ...
|
||
@#
|
||
@# NOTE on default values:
|
||
@#
|
||
@# If there are no "access" lines present, the default is to allow
|
||
@# the request.
|
||
@#
|
||
@# If none of the "access" lines cause a match, the default is the
|
||
@# opposite of the last line in the list. If the last line was
|
||
@# deny, then the default is allow. Conversely, if the last line
|
||
@# is allow, the default will be deny. For these reasons, it is a
|
||
@# good idea to have an "deny all" or "allow all" entry at the end
|
||
@# of your access lists to avoid potential confusion.
|
||
@#
|
||
@
|
||
@# Le vlan ADM a le droit à tout
|
||
@http_access allow ADM
|
||
@
|
||
@# Acc<63>s vers sites anti-virus + windows update permis dans tous les cas
|
||
@acl sites_permis dstdomain "/etc/squid/sites_permis"
|
||
@http_access allow CRANS sites_permis
|
||
@# Autorisation du http vers le proxy aussi (pour avoir les images sur les pages de d<>conexions)
|
||
@http_access allow CRANS GOTO_PROXY
|
||
@
|
||
@# Blacklist carte d'<27>tudiant
|
||
@acl bl_no_carte src "/etc/squid/blacklist_carte_et"
|
||
@http_access deny bl_no_carte
|
||
@deny_info ERR_CUSTOM_BL_NO_CARTE bl_no_carte
|
||
@
|
||
@# Blacklist upload
|
||
@acl blacklist_upload src "/etc/squid/blacklist_upload"
|
||
@http_access deny blacklist_upload
|
||
@deny_info ERR_CUSTOM_BL_UPLOAD blacklist_upload
|
||
@
|
||
@# Blacklist p2p
|
||
@acl blacklist_p2p src "/etc/squid/blacklist_p2p"
|
||
@http_access deny blacklist_p2p
|
||
@deny_info ERR_CUSTOM_BL_P2P blacklist_p2p
|
||
@
|
||
@# Blacklist autodisconnect upload
|
||
@acl blacklist_autodisc_upload src "/etc/squid/blacklist_autodisc_upload"
|
||
@http_access deny blacklist_autodisc_upload
|
||
@deny_info ERR_CUSTOM_BL_AUTO_UPLOAD blacklist_autodisc_upload
|
||
@
|
||
@# Blacklist autodisconnect p2p
|
||
@acl blacklist_autodisc_p2p src "/etc/squid/blacklist_autodisc_p2p"
|
||
@http_access deny blacklist_autodisc_p2p
|
||
@deny_info ERR_CUSTOM_BL_AUTO_P2P blacklist_autodisc_p2p
|
||
@
|
||
@# Blacklist warez
|
||
@acl blacklist_warez src "/etc/squid/blacklist_warez"
|
||
@http_access deny blacklist_warez
|
||
@deny_info ERR_CUSTOM_BL_WAREZ blacklist_warez
|
||
@
|
||
@# Blacklist bloq
|
||
@acl blacklist_bloq src "/etc/squid/blacklist_bloq"
|
||
@http_access deny blacklist_bloq
|
||
@deny_info ERR_CUSTOM_BLOQ blacklist_bloq
|
||
@
|
||
@# Virus windows
|
||
@acl veroles src "/etc/squid/blacklist_virus"
|
||
@http_access deny veroles HTTP
|
||
@deny_info ERR_CUSTOM_BL_VIRUS veroles HTTP
|
||
@# On ne leur bloque pas le ftp, ils ont d<>ja assez de mal <20> se d<>sinfecter sans
|
||
@http_access allow veroles FTP
|
||
@
|
||
@# Autorisations pour le point rencontre
|
||
@acl ptrencontre src "/etc/squid/ips_ptrencontre"
|
||
print "acl ZAMOK dst 138.231.136.6" % pubip('zamok');
|
||
@acl GOTO_CRANS dst 138.231.136.0/255.255.248.0
|
||
@http_access allow ptrencontre ZAMOK
|
||
@http_access deny ptrencontre GOTO_CRANS
|
||
@http_access allow ptrencontre FTP
|
||
@
|
||
@# Blackliste chambre invalide
|
||
@acl bl_chbre src "/etc/squid/blacklist_chbre"
|
||
@http_access deny bl_chbre
|
||
@deny_info ERR_CUSTOM_BL_CHAMBRE bl_chbre
|
||
@
|
||
@# Blackliste mail invalide
|
||
@#acl bl_no_mail src "/etc/squid/mail_invalide"
|
||
@#http_access deny bl_no_mail
|
||
@#deny_info ERR_CUSTOM_BL_NO_MAIL bl_no_mail
|
||
@
|
||
@# Pas de ftp
|
||
@http_access deny FTP
|
||
@deny_info ERR_FTP_DISABLED FTP
|
||
@
|
||
@# Bloquage local
|
||
@http_access allow GOTO_PROXY
|
||
@acl WIKI url_regex http://wiki.crans.org/.*
|
||
@http_access allow WIKI
|
||
@http_access deny local
|
||
@deny_info ERR_CUSTOM_PROXY_LOCAL local
|
||
@
|
||
@# AGO
|
||
@# http_access deny all
|
||
@# deny_info ERR_CUSTOM_AGO all
|
||
@
|
||
@
|
||
@# Bloquage de ports sp<73>ciaux
|
||
@http_access deny ports_interdits
|
||
@
|
||
@# Bloquage du logiciel desktopfw pour la m<>t<EFBFBD>o cf plus haut
|
||
@#http_access deny DESKTOPFW.WEATHER
|
||
@
|
||
@# Manager sur localhost
|
||
@http_access allow manager localhost
|
||
@http_access deny manager
|
||
@
|
||
@# Tunnel uniquement sur les ports SSL
|
||
@http_access allow CONNECT SSL_ports
|
||
@# Exception pour cas.univ-paris1.fr, port 8444
|
||
@acl 8444_port port 8444
|
||
@acl PARIS1 dst cas.univ-paris1.fr
|
||
@http_access allow CONNECT 8444_port PARIS1
|
||
@# On jette le reste
|
||
@http_access deny CONNECT
|
||
@
|
||
@# Je ne sais pas ce que c'est. Vu que c'est restreint <20> localhost, c'est bon. -- Vince
|
||
@http_access allow purge localhost
|
||
@
|
||
@# On autorise le CRANS, le WIFI
|
||
@http_access allow CRANS
|
||
@http_access allow WIFI
|
||
@
|
||
@# Et le proxy
|
||
@http_access allow localhost
|
||
@
|
||
@# On interdit tout le reste.
|
||
@http_access deny all
|
||
@
|
||
@#POUR SECOURS-3
|
||
@#cache_peer titanic.adm.crans.org parent 3128 0 no-digest no-query
|
||
@#always_direct deny all
|
||
@#never_direct allow all
|
||
@# Les 3 lignes pr<70>c<EFBFBD>dentes sont automatiquement d<>comment<6E>es en passage par la
|
||
@# connexion de secours.
|
||
@
|
||
@# Certains domaines passent tous par titanic
|
||
@#acl VIAULTRA dstdomain .gpspassion.com .free.fr
|
||
@#cache_peer titanic.adm.crans.org parent 3128 3130 no-digest
|
||
@#cache_peer_access titanic.adm.crans.org allow VIAULTRA
|
||
@#cache_peer_access titanic.adm.crans.org deny all
|
||
@#always_direct deny VIAULTRA
|
||
@#never_direct allow VIAULTRA
|
||
@
|
||
@
|
||
@# On redirige ce qui doit l'<27>tre sur privoxy
|
||
@#cache_peer localhost parent 8117 0 no-query no-digest
|
||
@#always_direct deny no_pub
|
||
@
|
||
@# TAG: icp_access
|
||
@# Reply to all ICP queries we receive
|
||
@#
|
||
@icp_access allow all
|
||
@
|
||
@# TAG: miss_access
|
||
@# Use to force your neighbors to use you as a sibling instead of
|
||
@# a parent. For example:
|
||
@#
|
||
@# acl localclients src 172.16.0.0/16
|
||
@# miss_access allow localclients
|
||
@# miss_access deny !localclients
|
||
@#
|
||
@# This means that only your local clients are allowed to fetch
|
||
@# MISSES and all other clients can only fetch HITS.
|
||
@#
|
||
@# By default, allow all clients who passed the http_access rules
|
||
@# to fetch MISSES from us.
|
||
@miss_access allow CRANS
|
||
@miss_access allow WIFI
|
||
@miss_access allow ADM
|
||
@miss_access deny all
|
||
@
|
||
@# TAG: cache_peer_access
|
||
@# Similar to 'cache_peer_domain' but provides more flexibility by
|
||
@# using ACL elements.
|
||
@#
|
||
@# cache_peer_access cache-host allow|deny [!]aclname ...
|
||
@#
|
||
@# The syntax is identical to 'http_access' and the other lists of
|
||
@# ACL elements. See the comments for 'http_access' below, or
|
||
@# the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/FAQ-10.html).
|
||
@
|
||
@# TAG: proxy_auth_realm
|
||
@# Specifies the realm name which is to be reported to the client for
|
||
@# proxy authentication (part of the text the user will see when
|
||
@# prompted their username and password).
|
||
@#
|
||
@#proxy_auth_realm Squid proxy-caching web server
|
||
@
|
||
@# TAG: ident_lookup_access
|
||
@# A list of ACL elements which, if matched, cause an ident
|
||
@# (RFC 931) lookup to be performed for this request. For
|
||
@# example, you might choose to always perform ident lookups
|
||
@# for your main multi-user Unix boxes, but not for your Macs
|
||
@# and PCs. By default, ident lookups are not performed for
|
||
@# any requests.
|
||
@#
|
||
@# To enable ident lookups for specific client addresses, you
|
||
@# can follow this example:
|
||
@#
|
||
@# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
|
||
@# ident_lookup_access allow ident_aware_hosts
|
||
@# ident_lookup_access deny all
|
||
@#
|
||
@# This option may be disabled by using --disable-ident with
|
||
@# the configure script.
|
||
@#ident_lookup_access deny all
|
||
@
|
||
@
|
||
@# ADMINISTRATIVE PARAMETERS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: cache_mgr
|
||
@# Email-address of local cache manager who will receive
|
||
@# mail if the cache dies. The default is "webmaster."
|
||
@#
|
||
@#cache_mgr webmaster
|
||
@
|
||
@# TAG: cache_effective_user
|
||
@# TAG: cache_effective_group
|
||
@#
|
||
@# If the cache is run as root, it will change its effective/real
|
||
@# UID/GID to the UID/GID specified below. The default is to
|
||
@# change to UID to nobody and GID to nogroup.
|
||
@#
|
||
@# If Squid is not started as root, the default is to keep the
|
||
@# current UID/GID. Note that if Squid is not started as root then
|
||
@# you cannot set http_port to a value lower than 1024.
|
||
@#
|
||
@cache_effective_user proxy
|
||
@cache_effective_group proxy
|
||
@
|
||
@# TAG: visible_hostname
|
||
@# If you want to present a special hostname in error messages, etc,
|
||
@# then define this. Otherwise, the return value of gethostname()
|
||
@# will be used. If you have multiple caches in a cluster and
|
||
@# get errors about IP-forwarding you must set them to have individual
|
||
@# names with this setting.
|
||
@#
|
||
@visible_hostname proxy.crans.org
|
||
@
|
||
@# TAG: unique_hostname
|
||
@# If you want to have multiple machines with the same
|
||
@# 'visible_hostname' then you must give each machine a different
|
||
@# 'unique_hostname' so that forwarding loops can be detected.
|
||
@#
|
||
@#unique_hostname www-cache1.foo.org
|
||
@
|
||
@
|
||
@# OPTIONS FOR THE CACHE REGISTRATION SERVICE
|
||
@# -----------------------------------------------------------------------------
|
||
@#
|
||
@# This section contains parameters for the (optional) cache
|
||
@# announcement service. This service is provided to help
|
||
@# cache administrators locate one another in order to join or
|
||
@# create cache hierarchies.
|
||
@#
|
||
@# An 'announcement' message is sent (via UDP) to the registration
|
||
@# service by Squid. By default, the annoucement message is NOT
|
||
@# SENT unless you enable it with 'announce_period' below.
|
||
@#
|
||
@# The announcement message includes your hostname, plus the
|
||
@# following information from this configuration file:
|
||
@#
|
||
@# http_port
|
||
@# icp_port
|
||
@# cache_mgr
|
||
@#
|
||
@# All current information is processed regularly and made
|
||
@# available on the Web at http://ircache.nlanr.net/Cache/Tracker/.
|
||
@
|
||
@# TAG: announce_period
|
||
@# This is how frequently to send cache announcements. The
|
||
@# default is `0' which disables sending the announcement
|
||
@# messages.
|
||
@#
|
||
@# To enable announcing your cache, just uncomment the line
|
||
@# below.
|
||
@#
|
||
@#announce_period 1 day
|
||
@
|
||
@# TAG: announce_host
|
||
@# TAG: announce_file
|
||
@# TAG: announce_port
|
||
@# announce_host and announce_port set the hostname and port
|
||
@# number where the registration message will be sent.
|
||
@#
|
||
@# Hostname will default to 'tracker.ircache.net' and port will
|
||
@# default default to 3131. If the 'filename' argument is given,
|
||
@# the contents of that file will be included in the announce
|
||
@# message.
|
||
@#
|
||
@#announce_host tracker.ircache.net
|
||
@#announce_port 3131
|
||
@
|
||
@
|
||
@# HTTPD-ACCELERATOR OPTIONS (D<>pr<70>ci<63> dans la version 2.6-5)
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: httpd_accel_host
|
||
@# TAG: httpd_accel_port
|
||
@# If you want to run Squid as an httpd accelerator, define the
|
||
@# host name and port number where the real HTTP server is.
|
||
@#
|
||
@# If you want virtual host support then specify the hostname
|
||
@# as "virtual".
|
||
@#
|
||
@# NOTE: enabling httpd_accel_host disables proxy-caching and
|
||
@# ICP. If you want these features enabled also, then set
|
||
@# the 'httpd_accel_with_proxy' option.
|
||
@#
|
||
@#httpd_accel_host hostname
|
||
@#httpd_accel_port port
|
||
@
|
||
@# Activation de sila en proxy transparent de temps de l'install party. 7/11/02 Nico
|
||
@#httpd_accel_host virtual
|
||
@#httpd_accel_port 80 inutile pour un proxy transparent.
|
||
@
|
||
@# TAG: httpd_accel_with_proxy on|off
|
||
@# If you want to use Squid as both a local httpd accelerator
|
||
@# and as a proxy, change this to 'on'.
|
||
@#
|
||
@#httpd_accel_with_proxy off
|
||
@#httpd_accel_with_proxy on
|
||
@
|
||
@# TAG: httpd_accel_uses_host_header on|off
|
||
@# HTTP/1.1 requests include a Host: header which is basically the
|
||
@# hostname from the URL. Squid can be an accelerator for
|
||
@# different HTTP servers by looking at this header. However,
|
||
@# Squid does NOT check the value of the Host header, so it opens
|
||
@# a big security hole. We recommend that this option remain
|
||
@# disabled unless you are sure of what you are doing.
|
||
@#
|
||
@# However, you will need to enable this option if you run Squid
|
||
@# as a transparent proxy. Otherwise, virtual servers which
|
||
@# require the Host: header will not be properly cached.
|
||
@#httpd_accel_uses_host_header on
|
||
@
|
||
@
|
||
@# MISCELLANEOUS
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: dns_testnames
|
||
@# The DNS tests exit as soon as the first site is successfully looked up
|
||
@#
|
||
@# If you want to disable DNS tests, do not comment out or delete this
|
||
@# list. Instead use the -D command line option
|
||
@#
|
||
@#dns_testnames netscape.com internic.net nlanr.net microsoft.com
|
||
@
|
||
@# TAG: logfile_rotate
|
||
@# Specifies the number of logfile rotations to make when you
|
||
@# type 'squid -k rotate'. The default is 10, which will rotate
|
||
@# with extensions 0 through 9. Setting logfile_rotate to 0 will
|
||
@# disable the rotation, but the logfiles are still closed and
|
||
@# re-opened. This will enable you to rename the logfiles
|
||
@# yourself just before sending the rotate signal.
|
||
@#
|
||
@# Note, the 'squid -k rotate' command normally sends a USR1
|
||
@# signal to the running squid process. In certain situations
|
||
@# (e.g. on Linux with Async I/O), USR1 is used for other
|
||
@# purposes, so -k rotate uses another signal. It is best to get
|
||
@# in the habit of using 'squid -k rotate' instead of 'kill -USR1
|
||
@# <pid>'.
|
||
@#
|
||
@#logfile_rotate 0
|
||
@
|
||
@# TAG: append_domain
|
||
@# Appends local domain name to hostnames without any dots in
|
||
@# them. append_domain must begin with a period.
|
||
@#
|
||
@append_domain .crans.org
|
||
@
|
||
@# TAG: tcp_recv_bufsize (bytes)
|
||
@# Size of receive buffer to set for TCP sockets. Probably just
|
||
@# as easy to change your kernel's default. Set to zero to use
|
||
@# the default buffer size.
|
||
@#
|
||
@#tcp_recv_bufsize 0 bytes
|
||
@
|
||
@# TAG: err_html_text
|
||
@# HTML text to include in error messages. Make this a "mailto"
|
||
@# URL to your admin address, or maybe just a link to your
|
||
@# organizations Web page.
|
||
@#
|
||
@# To include this in your error messages, you must rewrite
|
||
@# the error template files (found in the "errors" directory).
|
||
@# Wherever you want the 'err_html_text' line to appear,
|
||
@# insert a %L tag in the error template file.
|
||
@#err_html_text
|
||
@
|
||
@# TAG: deny_info
|
||
@# Usage: deny_info err_page_name acl
|
||
@# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
|
||
@#
|
||
@# This can be used to return a ERR_ page for requests which
|
||
@# do not pass the 'http_access' rules. A single ACL will cause
|
||
@# the http_access check to fail. If a 'deny_info' line exists
|
||
@# for that ACL then Squid returns a corresponding error page.
|
||
@#
|
||
@# You may use ERR_ pages that come with Squid or create your own pages
|
||
@# and put them into the configured errors/ directory.
|
||
@
|
||
@# TAG: memory_pools on|off
|
||
@# If set, Squid will keep pools of allocated (but unused) memory
|
||
@# available for future use. If memory is a premium on your
|
||
@# system and you believe your malloc library outperforms Squid
|
||
@# routines, disable this.
|
||
@#
|
||
@#memory_pools on
|
||
@
|
||
@# TAG: memory_pools_limit (bytes)
|
||
@# Used only with memory_pools on:
|
||
@# memory_pools_limit 50 MB
|
||
@#
|
||
@# If set to a non-zero value, Squid will keep at most the specified
|
||
@# limit of allocated (but unused) memory in memory pools. All free()
|
||
@# requests that exceed this limit will be handled by your malloc
|
||
@# library. Squid does not pre-allocate any memory, just safe-keeps
|
||
@# objects that otherwise would be free()d. Thus, it is safe to set
|
||
@# memory_pools_limit to a reasonably high value even if your
|
||
@# configuration will use less memory.
|
||
@#
|
||
@# If not set (default) or set to zero, Squid will keep all memory it
|
||
@# can. That is, there will be no limit on the total amount of memory
|
||
@# used for safe-keeping.
|
||
@#
|
||
@# To disable memory allocation optimization, do not set
|
||
@# memory_pools_limit to 0. Set memory_pools to "off" instead.
|
||
@#
|
||
@# An overhead for maintaining memory pools is not taken into account
|
||
@# when the limit is checked. This overhead is close to four bytes per
|
||
@# object kept. However, pools may actually _save_ memory because of
|
||
@# reduced memory thrashing in your malloc library.
|
||
@
|
||
@# TAG: forwarded_for on|off
|
||
@# If set, Squid will include your system's IP address or name
|
||
@# in the HTTP requests it forwards. By default it looks like
|
||
@# this:
|
||
@#
|
||
@# X-Forwarded-For: 192.1.2.3
|
||
@#
|
||
@# If you disable this, it will appear as
|
||
@#
|
||
@# X-Forwarded-For: unknown
|
||
@#
|
||
@forwarded_for off
|
||
@
|
||
@# TAG: log_icp_queries on|off
|
||
@# If set, ICP queries are logged to access.log. You may wish
|
||
@# do disable this if your ICP load is VERY high to speed things
|
||
@# up or to simplify log analysis.
|
||
@#
|
||
@#log_icp_queries on
|
||
@
|
||
@# TAG: icp_hit_stale on|off
|
||
@# If you want to return ICP_HIT for stale cache objects, set this
|
||
@# option to 'on'. If you have sibling relationships with caches
|
||
@# in other administrative domains, this should be 'off'. If you only
|
||
@# have sibling relationships with caches under your control, then
|
||
@# it is probably okay to set this to 'on'.
|
||
@#
|
||
@#icp_hit_stale off
|
||
@
|
||
@# TAG: minimum_direct_hops
|
||
@# If using the ICMP pinging stuff, do direct fetches for sites
|
||
@# which are no more than this many hops away.
|
||
@#
|
||
@#minimum_direct_hops 4
|
||
@
|
||
@# TAG: cachemgr_passwd
|
||
@# Specify passwords for cachemgr operations.
|
||
@#
|
||
@# Usage: cachemgr_passwd password action action ...
|
||
@#
|
||
@# Some valid actions are (see cache manager menu for a full list):
|
||
@# 5min
|
||
@# 60min
|
||
@# asndb
|
||
@# authenticator
|
||
@# cbdata
|
||
@# client_list
|
||
@# comm_incoming
|
||
@# config *
|
||
@# counters
|
||
@# delay
|
||
@# digest_stats
|
||
@# dns
|
||
@# events
|
||
@# filedescriptors
|
||
@# fqdncache
|
||
@# histograms
|
||
@# http_headers
|
||
@# info
|
||
@# io
|
||
@# ipcache
|
||
@# mem
|
||
@# menu
|
||
@# netdb
|
||
@# non_peers
|
||
@# objects
|
||
@# pconn
|
||
@# peer_select
|
||
@# redirector
|
||
@# refresh
|
||
@# server_list
|
||
@# shutdown *
|
||
@# store_digest
|
||
@# storedir
|
||
@# utilization
|
||
@# via_headers
|
||
@# vm_objects
|
||
@#
|
||
@# * Indicates actions which will not be performed without a
|
||
@# valid password, others can be performed if not listed here.
|
||
@#
|
||
@# To disable an action, set the password to "disable".
|
||
@# To allow performing an action without a password, set the
|
||
@# password to "none".
|
||
@#
|
||
@# Use the keyword "all" to set the same password for all actions.
|
||
@#
|
||
@#cachemgr_passwd secret shutdown
|
||
@#cachemgr_passwd lesssssssecret info stats/objects
|
||
@#cachemgr_passwd none all
|
||
@
|
||
@# TAG: store_avg_object_size (kbytes)
|
||
@# Average object size, used to estimate number of objects your
|
||
@# cache can hold. See doc/Release-Notes-1.1.txt. The default is
|
||
@# 13 KB.
|
||
@#
|
||
@#store_avg_object_size 13 KB
|
||
@
|
||
@# TAG: store_objects_per_bucket
|
||
@# Target number of objects per bucket in the store hash table.
|
||
@# Lowering this value increases the total number of buckets and
|
||
@# also the storage maintenance rate. The default is 20.
|
||
@#
|
||
@#store_objects_per_bucket 50
|
||
@
|
||
@# TAG: client_db on|off
|
||
@# If you want to disable collecting per-client statistics, then
|
||
@# turn off client_db here.
|
||
@#
|
||
@#client_db on
|
||
@
|
||
@# TAG: netdb_low
|
||
@# TAG: netdb_high
|
||
@# The low and high water marks for the ICMP measurement
|
||
@# database. These are counts, not percents. The defaults are
|
||
@# 900 and 1000. When the high water mark is reached, database
|
||
@# entries will be deleted until the low mark is reached.
|
||
@#
|
||
@#netdb_low 900
|
||
@#netdb_high 1000
|
||
@
|
||
@# TAG: netdb_ping_period
|
||
@# The minimum period for measuring a site. There will be at
|
||
@# least this much delay between successive pings to the same
|
||
@# network. The default is five minutes.
|
||
@#
|
||
@#netdb_ping_period 5 minutes
|
||
@
|
||
@# TAG: query_icmp on|off
|
||
@# If you want to ask your peers to include ICMP data in their ICP
|
||
@# replies, enable this option.
|
||
@#
|
||
@# If your peer has configured Squid (during compilation) with
|
||
@# '--enable-icmp' then that peer will send ICMP pings to origin server
|
||
@# sites of the URLs it receives. If you enable this option then the
|
||
@# ICP replies from that peer will include the ICMP data (if available).
|
||
@# Then, when choosing a parent cache, Squid will choose the parent with
|
||
@# the minimal RTT to the origin server. When this happens, the
|
||
@# hierarchy field of the access.log will be
|
||
@# "CLOSEST_PARENT_MISS". This option is off by default.
|
||
@#
|
||
@#query_icmp off
|
||
@
|
||
@# TAG: test_reachability on|off
|
||
@# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
|
||
@# instead of ICP_MISS if the target host is NOT in the ICMP
|
||
@# database, or has a zero RTT.
|
||
@#
|
||
@#test_reachability off
|
||
@
|
||
@# TAG: buffered_logs on|off
|
||
@# Some log files (cache.log, useragent.log) are written with
|
||
@# stdio functions, and as such they can be buffered or
|
||
@# unbuffered. By default they will be unbuffered. Buffering them
|
||
@# can speed up the writing slightly (though you are unlikely to
|
||
@# need to worry).
|
||
@#buffered_logs off
|
||
@
|
||
@# TAG: reload_into_ims on|off
|
||
@# When you enable this option, client no-cache or ``reload''
|
||
@# requests will be changed to If-Modified-Since requests.
|
||
@# Doing this VIOLATES the HTTP standard. Enabling this
|
||
@# feature could make you liable for problems which it
|
||
@# causes.
|
||
@#
|
||
@# see also refresh_pattern for a more selective approach.
|
||
@#
|
||
@# This option may be disabled by using --disable-http-violations
|
||
@# with the configure script.
|
||
@#reload_into_ims off
|
||
@
|
||
@# TAG: always_direct
|
||
@# Usage: always_direct allow|deny [!]aclname ...
|
||
@#
|
||
@# Here you can use ACL elements to specify requests which should
|
||
@# ALWAYS be forwarded directly to origin servers. For example,
|
||
@# to always directly forward requests for local servers use
|
||
@# something like:
|
||
@#
|
||
@# acl local-servers dstdomain my.domain.net
|
||
@# always_direct allow local-servers
|
||
@#
|
||
@# To always forward FTP requests directly, use
|
||
@#
|
||
@# acl FTP proto FTP
|
||
@# always_direct allow FTP
|
||
@#
|
||
@# NOTE: There is a similar, but opposite option named
|
||
@# 'never_direct'. You need to be aware that "always_direct deny
|
||
@# foo" is NOT the same thing as "never_direct allow foo". You
|
||
@# may need to use a deny rule to exclude a more-specific case of
|
||
@# some other rule. Example:
|
||
@#
|
||
@# acl local-external dstdomain external.foo.net
|
||
@# acl local-servers dstdomain foo.net
|
||
@# always_direct deny local-external
|
||
@# always_direct allow local-servers
|
||
@#
|
||
@# This option replaces some v1.1 options such as local_domain
|
||
@# and local_ip.
|
||
@always_direct allow CRANS
|
||
@always_direct allow WIFI
|
||
@always_direct allow ADM
|
||
@
|
||
@# TAG: never_direct
|
||
@# Usage: never_direct allow|deny [!]aclname ...
|
||
@#
|
||
@# never_direct is the opposite of always_direct. Please read
|
||
@# the description for always_direct if you have not already.
|
||
@#
|
||
@# With 'never_direct' you can use ACL elements to specify
|
||
@# requests which should NEVER be forwarded directly to origin
|
||
@# servers. For example, to force the use of a proxy for all
|
||
@# requests, except those in your local domain use something like:
|
||
@#
|
||
@# acl local-servers dstdomain foo.net
|
||
@# acl all src 0.0.0.0/0.0.0.0
|
||
@# never_direct deny local-servers
|
||
@# never_direct allow all
|
||
@#
|
||
@# or if squid is inside a firewall and there is local intranet
|
||
@# servers inside the firewall then use something like:
|
||
@#
|
||
@# acl local-intranet dstdomain foo.net
|
||
@# acl local-external dstdomain external.foo.net
|
||
@# always_direct deny local-external
|
||
@# always_direct allow local-intranet
|
||
@# never_direct allow all
|
||
@#
|
||
@# This option replaces some v1.1 options such as inside_firewall
|
||
@# and firewall_ip.
|
||
@
|
||
@never_direct deny CRANS
|
||
@never_direct deny WIFI
|
||
@never_direct deny ADM
|
||
@never_direct allow all
|
||
@
|
||
@# TAG: anonymize_headers
|
||
@# Usage: anonymize_headers allow|deny header_name ...
|
||
@#
|
||
@# This option replaces the old 'http_anonymizer' option with
|
||
@# something that is much more configurable. You may now
|
||
@# specify exactly which headers are to be allowed, or which
|
||
@# are to be removed from outgoing requests.
|
||
@#
|
||
@# There are two methods of using this option. You may either
|
||
@# allow specific headers (thus denying all others), or you
|
||
@# may deny specific headers (thus allowing all others).
|
||
@#
|
||
@# For example, to achieve the same behaviour as the old
|
||
@# 'http_anonymizer standard' option, you should use:
|
||
@#
|
||
@# anonymize_headers deny From Referer Server
|
||
@# anonymize_headers deny User-Agent WWW-Authenticate Link
|
||
@#
|
||
@# Or, to reproduce the old 'http_anonymizer paranoid' feature
|
||
@# you should use:
|
||
@#
|
||
@# anonymize_headers allow Allow Authorization Cache-Control
|
||
@# anonymize_headers allow Content-Encoding Content-Length
|
||
@# anonymize_headers allow Content-Type Date Expires Host
|
||
@# anonymize_headers allow If-Modified-Since Last-Modified
|
||
@# anonymize_headers allow Location Pragma Accept Charset
|
||
@# anonymize_headers allow Accept-Encoding Accept-Language
|
||
@# anonymize_headers allow Content-Language Mime-Version
|
||
@# anonymize_headers allow Retry-After Title Connection
|
||
@# anonymize_headers allow Proxy-Connection
|
||
@#
|
||
@# NOTE: You can not mix "allow" and "deny". All 'anonymize_headers'
|
||
@# lines must have the same second argument.
|
||
@#
|
||
@# By default, all headers are allowed (no anonymizing is
|
||
@# performed).
|
||
@#
|
||
@#anonymize_headers
|
||
@
|
||
@# TAG: fake_user_agent
|
||
@# If you filter the User-Agent header with 'anonymize_headers' it
|
||
@# may cause some Web servers to refuse your request. Use this to
|
||
@# fake one up. For example:
|
||
@#
|
||
@# fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
|
||
@# (credit to Paul Southworth pauls@etext.org for this one!)
|
||
@#
|
||
@#fake_user_agent none
|
||
@
|
||
@# TAG: icon_directory
|
||
@# Where the icons are stored. These are normally kept in
|
||
@# /usr/lib/squid/icons
|
||
@
|
||
@# TAG: error_directory
|
||
@# If you wish to create your own versions of the default
|
||
@# (English) error files, either to customise them to suit your
|
||
@# language or company copy the template english files to another
|
||
@# directory and point this tag at them.
|
||
@error_directory /usr/share/squid/errors/French
|
||
@
|
||
@# TAG: minimum_retry_timeout (seconds)
|
||
@# This specifies the minimum connect timeout, for when the
|
||
@# connect timeout is reduced to compensate for the availability
|
||
@# of multiple IP addresses.
|
||
@#
|
||
@# When a connection to a host is initiated, and that host has
|
||
@# several IP addresses, the default connection timeout is reduced
|
||
@# by dividing it by the number of addresses. So, a site with 15
|
||
@# addresses would then have a timeout of 8 seconds for each
|
||
@# address attempted. To avoid having the timeout reduced to the
|
||
@# point where even a working host would not have a chance to
|
||
@# respond, this setting is provided. The default, and the
|
||
@# minimum value, is five seconds, and the maximum value is sixty
|
||
@# seconds, or half of connect_timeout, whichever is greater and
|
||
@# less than connect_timeout.
|
||
@#
|
||
@#minimum_retry_timeout 5 seconds
|
||
@
|
||
@# TAG: maximum_single_addr_tries
|
||
@# This sets the maximum number of connection attempts for a
|
||
@# host that only has one address (for multiple-address hosts,
|
||
@# each address is tried once).
|
||
@#
|
||
@# The default value is three tries, the (not recommended)
|
||
@# maximum is 255 tries. A warning message will be generated
|
||
@# if it is set to a value greater than ten.
|
||
@#
|
||
@#maximum_single_addr_tries 3
|
||
@
|
||
@# TAG: snmp_port
|
||
@# Squid can now serve statistics and status information via SNMP.
|
||
@# By default it listens to port 3401 on the machine. If you don't
|
||
@# wish to use SNMP, set this to '-1'.
|
||
@#
|
||
@# NOTE: SNMP support requires use the --enable-snmp configure
|
||
@# command line option.
|
||
@#snmp_port -1
|
||
@snmp_port 3401
|
||
@
|
||
@# TAG: forward_snmpd_port
|
||
@# This configures whether we should be forwarding SNMP requests
|
||
@# to another snmpd. The reason for putting this piece of
|
||
@# functionality into Squid was to enable access to the system's
|
||
@# installed snmpd with minimal changes. This option is turned
|
||
@# off by default, check with your /etc/services for your system's
|
||
@# snmp port (usually 161). We do not use getservbyname() to
|
||
@# allow you to set Squid into port 161 and your system's snmpd to
|
||
@# another port by changing /etc/services.
|
||
@#
|
||
@# WARNING: Because of Squid acting as a proxy snmpd for system
|
||
@# you have to do security checks on THIS snmpd for all objects.
|
||
@# Check your snmp_config_file.
|
||
@#forward_snmpd_port 0
|
||
@
|
||
@# TAG: snmp_access
|
||
@# Allowing or denying access to the SNMP port.
|
||
@#
|
||
@# All access to the agent is denied by default.
|
||
@# usage:
|
||
@#
|
||
@# snmp_access allow|deny [!]aclname ...
|
||
@#
|
||
@#Example:
|
||
@#snmp_access allow public localhost
|
||
@#snmp_access deny all
|
||
@snmp_access allow snmppublic proxy
|
||
@snmp_access deny all
|
||
@
|
||
@# TAG: snmp_incoming_address
|
||
@# TAG: snmp_outgoing_address
|
||
@# Just like 'udp_incoming_address' above, but for the SNMP port.
|
||
@#
|
||
@# snmp_incoming_address is used for the SNMP socket receiving
|
||
@# messages from SNMP agents.
|
||
@# snmp_outgoing_address is used for SNMP packets returned to SNMP
|
||
@# agents.
|
||
@#
|
||
@# The default behaviour is to not bind to any specific address.
|
||
@#
|
||
@# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
|
||
@# the same value since they both use port 3130.
|
||
@#
|
||
@#snmp_incoming_address 0.0.0.0
|
||
@#snmp_outgoing_address 0.0.0.0
|
||
@
|
||
@# TAG: as_whois_server
|
||
@# WHOIS server to query for AS numbers. NOTE: AS numbers are
|
||
@# queried only when Squid starts up, not for every request.
|
||
@
|
||
@
|
||
@# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
|
||
@# -----------------------------------------------------------------------------
|
||
@
|
||
@# TAG: delay_pools
|
||
@# This represents the number of delay pools to be used. For example,
|
||
@# if you have one class 2 delay pool and one class 3 delays pool, you
|
||
@# have a total of 2 delay pools.
|
||
@#
|
||
@# To enable this option, you must use --enable-delay-pools with the
|
||
@# configure script.
|
||
@#delay_pools 0
|
||
@
|
||
@# TAG: delay_class
|
||
@# This defines the class of each delay pool. There must be exactly one
|
||
@# delay_class line for each delay pool. For example, to define two
|
||
@# delay pools, one of class 2 and one of class 3, the settings above
|
||
@# and here would be:
|
||
@#
|
||
@#delay_pools 2 # 2 delay pools
|
||
@#delay_class 1 2 # pool 1 is a class 2 pool
|
||
@#delay_class 2 3 # pool 2 is a class 3 pool
|
||
@#
|
||
@# The delay pool classes are:
|
||
@#
|
||
@# class 1 Everything is limited by a single aggregate
|
||
@# bucket.
|
||
@#
|
||
@# class 2 Everything is limited by a single aggregate
|
||
@# bucket as well as an "individual" bucket chosen
|
||
@# from bits 25 through 32 of the IP address.
|
||
@#
|
||
@# class 3 Everything is limited by a single aggregate
|
||
@# bucket as well as a "network" bucket chosen
|
||
@# from bits 17 through 24 of the IP address and a
|
||
@# "individual" bucket chosen from bits 17 through
|
||
@# 32 of the IP address.
|
||
@#
|
||
@# NOTE: If an IP address is a.b.c.d
|
||
@# -> bits 25 through 32 are "d"
|
||
@# -> bits 17 through 24 are "c"
|
||
@# -> bits 17 through 32 are "c * 256 + d"
|
||
@
|
||
@# TAG: delay_access
|
||
@# This is used to determine which delay pool a request falls into.
|
||
@# The first matched delay pool is always used, ie, if a request falls
|
||
@# into delay pool number one, no more delay are checked, otherwise the
|
||
@# rest are checked in order of their delay pool number until they have
|
||
@# all been checked. For example, if you want some_big_clients in delay
|
||
@# pool 1 and lotsa_little_clients in delay pool 2:
|
||
@#
|
||
@#delay_access 1 allow some_big_clients
|
||
@#delay_access 1 deny all
|
||
@#delay_access 2 allow lotsa_little_clients
|
||
@#delay_access 2 deny all
|
||
@
|
||
@# TAG: delay_parameters
|
||
@# This defines the parameters for a delay pool. Each delay pool has
|
||
@# a number of "buckets" associated with it, as explained in the
|
||
@# description of delay_class. For a class 1 delay pool, the syntax is:
|
||
@#
|
||
@#delay_parameters pool aggregate
|
||
@#
|
||
@# For a class 2 delay pool:
|
||
@#
|
||
@#delay_parameters pool aggregate individual
|
||
@#
|
||
@# For a class 3 delay pool:
|
||
@#
|
||
@#delay_parameters pool aggregate network individual
|
||
@#
|
||
@# The variables here are:
|
||
@#
|
||
@# pool a pool number - ie, a number between 1 and the
|
||
@# number specified in delay_pools as used in
|
||
@# delay_class lines.
|
||
@#
|
||
@# aggregate the "delay parameters" for the aggregate bucket
|
||
@# (class 1, 2, 3).
|
||
@#
|
||
@# individual the "delay parameters" for the individual
|
||
@# buckets (class 2, 3).
|
||
@#
|
||
@# network the "delay parameters" for the network buckets
|
||
@# (class 3).
|
||
@#
|
||
@# A pair of delay parameters is written restore/maximum, where restore is
|
||
@# the number of bytes (not bits - modem and network speeds are usually
|
||
@# quoted in bits) per second placed into the bucket, and maximum is the
|
||
@# maximum number of bytes which can be in the bucket at any time.
|
||
@#
|
||
@# For example, if delay pool number 1 is a class 2 delay pool as in the
|
||
@# above example, and is being used to strictly limit each host to 64kbps
|
||
@# (plus overheads), with no overall limit, the line is:
|
||
@#
|
||
@#delay_parameters 1 -1/-1 8000/8000
|
||
@#
|
||
@# Note that the figure -1 is used to represent "unlimited".
|
||
@#
|
||
@# And, if delay pool number 2 is a class 3 delay pool as in the above
|
||
@# example, and you want to limit it to a total of 256kbps (strict limit)
|
||
@# with each 8-bit network permitted 64kbps (strict limit) and each
|
||
@# individual host permitted 4800bps with a bucket maximum size of 64kb
|
||
@# to permit a decent web page to be downloaded at a decent speed
|
||
@# (if the network is not being limited due to overuse) but slow down
|
||
@# large downloads more significantly:
|
||
@#
|
||
@#delay_parameters 2 32000/32000 8000/8000 600/64000
|
||
@#
|
||
@# There must be one delay_parameters line for each delay pool.
|
||
@
|
||
@# TAG: delay_initial_bucket_level (percent, 0-100)
|
||
@# The initial bucket percentage is used to determine how much is put
|
||
@# in each bucket when squid starts, is reconfigured, or first notices
|
||
@# a host accessing it (in class 2 and class 3, individual hosts and
|
||
@# networks only have buckets associated with them once they have been
|
||
@# "seen" by squid).
|
||
@#
|
||
@#delay_initial_bucket_level 50
|
||
@
|
||
@# TAG: incoming_icp_average
|
||
@# TAG: incoming_http_average
|
||
@# TAG: min_icp_poll_cnt
|
||
@# TAG: min_http_poll_cnt
|
||
@# Heavy voodoo here. I can't even believe you are reading this.
|
||
@# Are you crazy? Don't even think about adjusting these unless
|
||
@# you understand the algorithms in comm_select.c first!
|
||
@#
|
||
@#incoming_icp_average 6
|
||
@#incoming_http_average 4
|
||
@#min_icp_poll_cnt 8
|
||
@#min_http_poll_cnt 8
|
||
@
|
||
@# TAG: max_open_disk_fds
|
||
@# TAG: offline_mode
|
||
@# Enable this option and Squid will never try to validate cached
|
||
@# objects.
|
||
@
|
||
@# TAG: uri_whitespace
|
||
@# What to do with requests that have whitespace characters in the
|
||
@# URI. Options:
|
||
@#
|
||
@# deny: The request is denied. The user receives an "Invalid
|
||
@# Request" message.
|
||
@# allow: The request is allowed and the URI is not changed. The
|
||
@# whitespace characters remain in the URI. Note the
|
||
@# whitespace is passed to redirector processes if they
|
||
@# are in use.
|
||
@# encode: The request is allowed and the whitespace characters are
|
||
@# encoded according to RFC1738. This could be considered
|
||
@# a violation of the HTTP/1.1
|
||
@# RFC because proxies are not allowed to rewrite URI's.
|
||
@# chop: The request is allowed and the URI is chopped at the
|
||
@# first whitespace. This might also be considered a
|
||
@# violation.
|
||
@#uri_whitespace deny
|
||
@
|
||
@# TAG: broken_posts
|
||
@# A list of ACL elements which, if matched, causes Squid to send
|
||
@# a extra CRLF pair after the body of a PUT/POST request.
|
||
@#
|
||
@# Some HTTP servers has broken implementations of PUT/POST,
|
||
@# and rely on a extra CRLF pair sent by some WWW clients.
|
||
@#
|
||
@# Quote from RFC 2068 section 4.1 on this matter:
|
||
@#
|
||
@# Note: certain buggy HTTP/1.0 client implementations generate an
|
||
@# extra CRLF's after a POST request. To restate what is explicitly
|
||
@# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
|
||
@# a request with an extra CRLF.
|
||
@#
|
||
@#acl buggy_server url_regex ^http://....
|
||
@#broken_posts allow buggy_server
|
||
@
|
||
@# TAG: mcast_miss_addr
|
||
@# If you enable this option, every "cache miss" URL will
|
||
@# be sent out on the specified multicast address.
|
||
@#
|
||
@# Do not enable this option unless you are are absolutely
|
||
@# certain you understand what you are doing.
|
||
@
|
||
@# TAG: mcast_miss_port
|
||
@# This is the port number to be used in conjuction with
|
||
@# 'mcast_miss_addr'.
|
||
@
|
||
@# TAG: mcast_miss_encode_key
|
||
@# The URLs that are sent in the multicast miss stream are
|
||
@# encrypted. This is the encryption key.
|
||
@
|
||
@# TAG: prefer_direct
|
||
@# By default, if the ICP, HTCP, Cache Digest, etc. techniques
|
||
@# do not yield a parent cache, Squid gives higher preference
|
||
@# to forwarding the request direct to origin servers, rather
|
||
@# than selecting a parent cache anyway.
|
||
@#
|
||
@# If you want Squid to give higher precedence to a parent
|
||
@# cache, instead of going direct, then turn this option off.
|
||
@#prefer_direct on
|
||
@
|
||
@# TAG: strip_query_terms
|
||
@# By default, Squid strips query terms from requested URLs before
|
||
@# logging. This protects your user's privacy.
|
||
@#strip_query_terms on
|
||
@
|
||
@# TAG: coredump_dir
|
||
@# By default Squid leaves core files in the first cache_dir
|
||
@# directory. If you set 'coredump_dir' to a directory
|
||
@# that exists, Squid will chdir() to that directory at startup
|
||
@# and coredump files will be left there.
|
||
@
|
||
@# Pour subversion
|
||
@extension_methods REPORT MERGE MKACTIVITY CHECKOUT
|